(2003-12-22) [canada.com] Downloaders of free digital music should be aware their computers may be infected with spyware that could compromise passwords and even online bank accounts, says the president of a prominent global Internet security company.
John Schwarz, an executive with California-based Symantec, laid out a chilling scenario for members of the Vancouver Board of Trade in a keynote address recently. "If your kids download music, I guarantee you that on your home computer you have a piece of spyware that tracks every keystroke you make on your keyboard, and telegraphs those keystrokes to somebody who's watching your system," Schwarz said. (Article by Jim Jamieson)
[source: Technology News]
(2003-12-23) [EPIC] EPIC has obtained documents from the National Institute of Standards and Technology under the Freedom of Information Act describing Microsoft Palladium. The documents describe Palladium's applications for Digital Rights Management and note that the technology embeds "unique machine identifiers," thus raising risks that user behavior may be subject to traffic analysis.
Issues raised by Palladium, which is now known as the Next Generation Secure Computing Base, are similar to privacy problems with the controversial Intel Pentium Serial Number. For more information, see Big Brother Inside and the EPIC Palladium and Digital Rights Management Pages.
[source: EPIC Latest News]
(2003-12-17) [EPIC] EPIC has urged the Federal Communications Commission to address the privacy implications of Voice over Internet Protocol (VoIP), a technology that enables Internet telephony. In a letter to the agency, EPIC recounted the FCC's past actions to protect privacy, and argued that the adoption of genuine privacy practices will accelerate the adoption and security of Internet telephony. Specifically, EPIC requested that the FCC create "technical and legal safeguards to protect communications traffic (content and routing information) and user location information, and to ensure that those expert in privacy law and regulation participate in the work of the FCC on VOIP."
The EPIC VoIP Letter is available at: http://www.epic.org/privacy/voip/fccltr12.15.03.html
[source: EPIC Alert vol 10 no 25]
(2003-12-18) [EDRI] On 16 December the Dutch Lower House accepted a legal proposal to introduce compulsory identification for all persons from the age of fourteen. People unable to immediately show a valid passport, drivers license or (cheaper) identity-card risk a fine with a maximum of 2.250 Euro.
Refusal will constitute a criminal offence. Every police-officer including military police, any extra-ordinary law enforcement agent and any police related supervisor/watcher may ask for proof of identity. According to the explanatory statement the police must have a reasonable cause related to her task to ask for ID, but there is no need for an actual suspicion of an offence.
[source: EDRI-gram - Number 24, December 18,2003]
(2003-12-18) [EDRI] On 16 December the European Commission presented the long-awaited outcome of its negotiations with the U.S. Department of Homeland Security on the transfer of Passenger Name Record (PNR) data to the U.S. As expected, the outcome is a foul compromise, creating a permanent breach of law.
The proposed solution for the problem is the development of 'push' system for data to be actively transmitted to the USA, after filtering out the unnecessary information. That future development is now also used to justify current practices. In order to make the agreement more acceptable for the EU, the U.S. have reduced their demand from 60 data fields per passenger to 34, and promised to retain the data for 'only' 42 months instead of 50 years, as they had intended originally. In addition, they assure that the data will not be shared with any other agencies outside the homeland department. There is no way, however, to assure that any of this is going to happen.
[source: EDRI-gram - Number 24, December 18,2003]
(2003-12-18) [EDRI] Peter Hustinx, the Dutch data protection commissioner, will be elected today as the new EU data protection commissioner.
The Conference of Presidents, composed of the heads of the Political Groups in the European Parliament, decided to back-down from their original idea to give the position to the Spanish magistrate Joaquín Bayo Delgado. He will now be appointed Assistant Commissioner. The decision will be made public today, after the Council has approved. Back in May Bayo Delgado, backed by an informal coalition of Spanish MEPs, won a test vote in the European Parliament Interior Affairs committee. Civil liberties organisations responded with surprise because he was the only candidate on the list with no record of data protection or privacy advocacy at all. On the contrary Hustinx is well known, has many contacts with the Commission in Brussels and is a regular visitor and contributor to any events on EU Data Protection. By many Brussels insiders he was therefore regarded as the 'natural candidate'.
[source: EDRI-gram - Number 24, December 18,2003]
(2003-12-29) [New York Times] [GM's] OnStar is one of a growing number of automated eyes and ears that enhance driving safety and convenience but that also increase the potential for surveillance. Privacy advocates say that the rise of the automotive technologies, including electronic toll areas, location-tracking devices, "black box" data recorders like those found on airplanes and even tiny radio ID tags in tires, are changing the nature of Americans' relationship with their cars.
Tires, too, can tell on drivers. This year, Michelin began implanting match-head-sized chips in tires that can be read remotely. The company started using the chips to provide manufacturing information that could help spot failure trends and to comply with a federal law requiring close tracking of tires for recalls. But privacy activists fear that the chips, which can be loaded with a car's vehicle identification number, would allow yet another form of automated vehicle tracking. "You basically have Web browser 'cookies' in your tires," said Richard M. Smith, an independent privacy researcher.
Full article by J Schwartz at http://www.nytimes.com/2003/12/29/technology/29car.html?th=&pagewanted=all
[source: NYTimes.com]
(2003-12-03) [EDRI] The biometric technique that has been selected for incorporation into the new UK national ID card has been undermined in the scientific press. New Scientist has reported that the technique of iris scanning is not as perfect and infallible as the Home Secretary (Minister of Internal Affairs) has claimed. The article alleged that the technology was prone to failure and that its success could not be guaranteed if used on a national scale.
New Scientist reported that the key problem "is the limited accuracy of biometric systems combined with the sheer number of people to be identified. The most optimistic claims for iris recognition systems are around 99 per cent accuracy - so for every 100 scans, there will be at least one false match". See 'Biometric cards will not stop identity fraud', New Scientist (21.11.2003) http://www.newscientist.com/news/news.jsp?id=ns99994393.
[source: EDRI-gram - Number 23, December 3,2003]
(2003-12-03) [EDRI] The presentation of a crypto mobile telephone has stirred some controversy in the Netherlands. The Cryptophone has been developed in the Netherlands and is sold through a German company. The device is a combined GSM and organiser running Windows Pocket PC. The software encrypts the call when connecting to another Cryptophone. The Cryptophone should make it impossible for any third-party, including the phone company and police, to listen to the call.
The Cryptophone is legal under Dutch law, that does not put any restriction on the use of cryptography by its citizens. It is not expected that legislation will be passed to change this situation. In 2002 the Netherlands decided not to evoke key escrow on Trusted Third parties. Dutch export regulation is in accordance with the liberal EU regulations that put little restrictions on cryptographic products for the consumer market.
Other European countries have little or no restrictions on the use of cryptography. France, that used to have laws against the use of strong crypto, liberalised its law completely in 2001. Programs like PGP and GPG are widely availably and used throughout Europe.
[source: EDRI-gram - Number 23, December 3,2003]
(2003-12-03) [EDRI] Ole Sorensen, the Rapporteur for the European Parliament on two proposals for Council Regulations to include biometric identifiers into visas and ID cards, is questioning the proportionality and the adequacy of this measure to enhance security standards of EU travel documents.
In a Working Document discussed at an internal meeting with the shadow rapporteurs of the political groups, Sorensen criticises the Commission and the Council for not even being able to enumerate the number of falsified visas, passports and ID cards, which still have to serve as a justification for the biometrics proposal.
[source: EDRI-gram - Number 23, December 3,2003]
(2003-12-03) [EDRI] The Irish Labour Party is urging suspension of e-voting until major flaws are fixed. Ireland is planning to completely changeover to electronic voting in June 2004, for both local and European elections.
Besides organising an end-to-end test and using formal mathematical methods to insure the reliability of the system, Labour demands the introduction of a Voter Verifiable Audit Trail (VVAT). That means creating a parallel paper record of votes cast which could be stored and checked in the event of a dispute over an election outcome.
The Belgian e-voting expert David Glaude reports an incident with e-voting in Belgium. Not widely published it took place on 18 May 2003, in the municipality of Schaerbeek. The total number of preferential votes cast on a specific candidate was higher than the total number of votes for his list. A series of tests was conducted on the computer of the president of the voting committee, but the error could not be reproduced. The difference in votes was exactly 4.096, leading the research-team to the conclusion that the error was probably due to a spontaneous inversion of a binary position in the read-write memory of the PC.
The Belgian e-voting system is fairly complex, with a blank magnetic card that every voter has to insert into a voting machine. After voting, the card must be entered into a ballot-box. Attached to the ballot-box is a computer with a floppy-drive. The voting-results are written on a floppy-disk.
[source: EDRI-gram - Number 23, December 3,2003]
(2003-12-03) [EPIC] The Federal Communications Commission held a forum this week to discuss "Voice Over Internet Protocol" (VoIP), a technology used to facilitate Internet telephony. Many privacy issues are raised by the technology.
First, VoIP users can evade police wiretapping in some cases. As a result, the FBI has sought to impose new requirements on Internet telephony providers that would facilitate wiretapping. Second, location privacy issues are raised with the development of "presence sensing" and E911-compliant Internet telephony systems. Finally, developing Internet telephony contact systems, such as ENUM, may depend on individuals posting personal contact information in publicly-available databases. Information on the FCC VOIP Forum is available at: http://www.fcc.gov/voip/,
[source: EPIC Alert vol 10 no 24]
(2003-12-03) [EPIC] More than 35 groups, including EPIC, have endorsed a privacy statement outlining the threats and best practices for the use of Radio Frequency Identification (RFID) technology in consumer products.
The debate over use of RFID technology is not just playing out in theory and privacy statements. The technology has been making headlines recently as more and more retail outlets are stocking their shelves with products tagged by RFID. Wal-Mart received criticism for the company's secret testing of RFID in heath and beauty products earlier this year, but that has not stopped the push for RFID. Wal-Mart announced that it intends to require all of the products sold in the store to be tagged with RFID within two years. The coalition's positions paper is available at: http://www.privacyrights.org/ar/RFIDposition.htm.
[source: EPIC Alert vol 10 no 24]
(2003-12-03) [EPIC] A new organization dedicated to promoting voting integrity in the U.S. has urged the 2004 presidential candidates to take a stand on electronic voting issues. The recently-formed National Committee on Voter Integrity (NCVI) held a press conference to discuss the reliability and integrity of electronic voting systems. The Committee also presented its letter to the presidential candidates, calling on them to state their position on electronic voting machines and asking what steps they believe should be taken to ensure the integrity of the election process.
The formation of the National Committee on Voter Integrity comes as the debate over electronic voting has reached a new level of intensity. The National Committee for Voting Integrity's website is available at: http://www.votingintegrity.org.
[source: EPIC Alert vol 10 no 24]
(2003-12-04) [PC World] You've just flipped the bird at a driver who splashed you with mud. A rude moment soon forgotten by anyone who saw it, right? Maybe not, if one of those witnesses has a cell phone with a digital camera.
The same size as regular cell phones, cam phones can snap photos while users appear to make calls. Candid shots can be e-mailed to friends or sent to sites that have automated "moblogging" (mobile blogging) such as Buzznet.com, Fotolog.net, and Textamerica.com, and there viewed worldwide in seconds. That means every faux pas, and even more private moments (in locker rooms or store dressing areas, say), can become fodder for public consumption.
"What's the difference if you have a camera phone or a regular camera to take a picture?"
For now, the law agrees. By going out in public, people surrender some privacy; a cam phone's immediacy alone does not violate privacy laws, says Daniel Solove, a law professor specializing in privacy law. So users are unlikely to be sued for taking shots like Dann's. But there are limits.
Some courts recognize an invasion of privacy if one's reputation is hurt or a photo causes severe embarrassment, says Solove, but such shots must be very offensive and not legitimate news--someone in an adult bookstore, for example. (Article by Carla Thornton)
[source: PCW OnLine]
(2003-12-03) [PC World] The U.S. is not taking advantage of its technology expertise to fight terrorism, according to a new report authored by leading IT and national security experts.
The problem is largely due to the fact that U.S. government agencies are still reluctant to share information with each other, two years after the September 11 terrorist attacks, the report says. The Markle Foundation report, "Creating a Trusted Information Network for Homeland Security," released Tuesday, recommends that President Bush set up a decentralized terrorism analysis network that would encourage government agencies to share information with each other and with local law enforcement agencies. The report is available at news-url url="http://www.markle.org/" title="Markle.org" />.
[source: PCW OnLine]
(2003-12-03) [eWeek] An early entrant into the enterprise social networking field is unveiling an updated version of its software on Wednesday.
Contact Network Corp., of Boston, is releasing Contact Network 2.5, server software that allows corporations to create their own private social networks where employees can mine each other's contacts to find new introductions and sales leads. Enterprise social networks remain relatively new, since most of the attention around social networking has focused on consumer-oriented Web sites such as Friendster.
Contact Network ensures privacy by allowing users the choice of whether to participate—about 99 percent do opt in—as well as the ability to block specific contacts in their address books, Hyatt said. Also, no employee can gain access to a contact without first going through the employee who knows the contact. In the new version, administrators also are able to set some universal privacy settings by defining the maximum level of contact sharing allowed. "We err on the side of privacy, and there's no reason to push the envelope unnecessarily," Hyatt said.
[source: EW OnLine]
(2003-12-02) [ComputerWorld] The UK government is set to consider legislation next year for the establishment of compulsory biometric identity cards and a central database of all UK subjects, it was announced by the government this week.
The Identity Cards Bill is to be considered in the next session of Parliament, the government announced. As proposed by Secretary of State for the Home Department David Blunkett earlier this month, the legislation calls for a system of ID cards carrying biometric identifiers in an embedded chip, linked to a "secure national database," to be created by 2010. The purpose of the ID cards is to deal with the "21st century challenges" of greater global mobility and advancing technology while combating such problems as illegal working, immigration abuse, ID fraud, terrorism and organised crime, according to Blunkett. (Article by Laura Rohde)
[source: CW OnLine]
(2003-11-30) [European Multimedia Forum ] The European Commission hosted a workshop on spam on 16 October 2003 in Brussels. Spam is growing dangerously, reaching estimations of up to 50% of e-mails. Spam (the more common name of "unsolicited electronic commercial communications") are prohibited under the European Directive on Privacy and Electronic Communications that entered into force this 31 October (and implemented up to now only by Austria, Denmark, Italy and Sweden!).
An issue paper is accessible here.
[source: EMF NEWSFLASH -November 2003 ]
(2003-11-30) [European Multimedia Forum ] A study of the European JRC - Joint Research Center "Security and privacy for the Citizen in the Post-September 11 Digital Age" reveals some shifts from former "reactive" to "pro-active" security protection strategies. It says that the "balance between privacy and security is being shifted both by emerging ICTs and by governments' actions in response to rising crime and terrorism". At the same time, it recognises the concern about privacy and security as the main obstacles to a take-off of e-commerce.
For a summary of the report, read here.
[source: EMF NEWSFLASH -November 2003 ]
(2003-09-17) [National Science Foundation] NSF Information Technology Research program announces awards for 2003. Protecting individual privacy in a networked world, getting the right information at the right time for emergency response, predicting high-impact local weather such as thunderstorms, and monitoring wetlands with networks of mobile robotic sensors are the challenges being addressed by four of the eight large projects funded this year by the National Science Foundation (NSF) in the Information Technology Research (ITR) program.
Project title: Sensitive Information in a Wired World
Project Director: Dan Boneh, Stanford University
Collaborators: Yale University, University of New Mexico, New York University, Stevens Institute of Technology, U.S. Secret Service, U.S. Census Bureau, Department of Health and Human Services, Microsoft, IBM, Hewlett Packard, Citigroup, Center for Democracy and Technology, Electronic Privacy Information Center
Amount: $12.5 million
The increased use of networked computers and databases in almost every aspect of daily life has led to a proliferation of sensitive data, but without a comprehensive infrastructure for handling these data over their lifetime. This project will develop methods for privacy-preserving data mining that respect and protect individual rights but allow law enforcement and legitimate users to mine massive data sets. The research team will also develop database tools that enforce privacy policies while managing sensitive data and release tools for end-users to prevent identity theft via spoofed or malicious Web sites.
[source: NSF Press Release ]
(2003-11-25) [National Science Foundation ] Taking their cues from Mother Nature and biodiversity, computer scientists at Carnegie Mellon University and the University of New Mexico are collaborating on a National Science Foundation (NSF)-supported project to study "cyber-diversity" for computer systems as a way to fend off malicious viruses, worms and other cyber attacks.
In nature, diseases are most devastating when an infection-causing organism encounters a "monoculture," a vast swath of genetically similar individuals, each susceptible to the organism's method of attack. In the same vein, computer viruses and worms exploit the same flaw on every computer running the same software.
"We are looking at computers the way a physician would look at genetically related patients, each susceptible to the same disorder," said Mike Reiter, a professor of electrical and computer engineering and computer science at Carnegie Mellon and associate director of CyLab, a Carnegie Mellon initiative focused on advancing cybersecurity technology and education. "In a more diverse population, one member may fall victim to a pathogen or disorder, while another might not have the same vulnerability."
[source: NSF Press Release ]
(2003-12-04) [National Science Foundation ] Panel calls for further study of security and societal issues Trials should proceed in which Internet terminals are used at traditional polling places, but remote voting from home or the workplace is not viable in the near future. So says a new report, commissioned by the National Science Foundation (NSF), in which a committee of experts calls for further research into complex security and reliability obstacles that for now impede the Internet's use in public elections.
[source: NSF Press Release ]
(2003-09-01) [Federal Trade Commission] Identity theft is the fastest growing form of white-collar crime in the United States, and has a $2.5 billion impact on consumers everywhere. The cost of ID theft is expected to reach $3.7 billion by the end of 2006.
See graph on number of US victims of ID theft. (From "Federal Trade Commission Overview of the Identity Theft Program October 1998 - September 2003", September 2003)
[source: on the Web: For the Consumer ]
(2003-10-01) [Federal Trade Commission] The 1990’s spawned a new variety of crooks called identity thieves. Their stock in trade? Your everyday transactions, which usually reveal bits of your personal information: your bank and credit card account numbers; your income; your Social Security number (SSN); or your name, address, and phone numbers. An identity thief obtains some piece of your sensitive information and uses it without your knowledge to commit fraud or theft.
Skilled identity thieves use a variety of methods to gain access to your personal information. For example:
They scam information from you by posing as a legitimate business person or government official.
Once identity thieves have your personal information, they may:
[source: on the Web: For the Consumer ]
(2003-11-19) [EDRI] The German civil rights and privacy-organisation FoeBuD is the winner of an idea-contest for a national awareness campaign about the infringement of civil liberties through new technologies. With the price of 15.000 Euro, FoeBuD wants to develop a 'Dataprivatizer', a tool to detect RFID's, minuscule spy-chips that are increasingly built into consumer goods.
The German chain of supermarkets and DIY-stores Metro AG already won a Big Brother Award last month for implementing this technology.
[source: EDRI-gram - Number 22, November 19,2003]
(2003-11-19) [EDRI] Pointing to different persons on a website and making them recognisable by naming them or in any other manner is an act of processing of personal data and must therefore be dealt with under EU Directive 95/46/EC. That's the substance of a recent judgement of the European Court of Justice (reference number C-101/01; case Bodil Lindqvist). It is the first time this court has ruled on the scope of the data protection directive and freedom of movement for such data on the internet.
Judgement by EU Court of Justice (06.11.2003): http://www.curia.eu.int/jurisp/cgi-bin/gettext.pl?lang=en&num=79968893C19010101&doc=T&ouvert=T&seance=ARRET&where=()
[source: EDRI-gram - Number 22, November 19,2003]
(2003-11-19) [EDRI] On 13 November, the UK House of Lords unexpectedly approved a very controversial 'Snoopers' Charter'. The three pieces of secondary legislation approve a 'voluntary' data retention scheme, and give a long list of government agencies self-authorised access to phone and Internet logs.
Throughout the debate it appeared that the government's proposals to place every UK email and phone account under surveillance was doomed. Conservative, Liberal Democrat and Cross Bench peers had vowed to oppose them. The Joint Human Rights Committee of the Parliament had expressed 'grave reservations' about the plans. Independent legal analysis had ruled them unlawful. Grim faced Home Office Officials sitting in the Advisors Box of the Lord's had admitted they were expecting the worst. But in spite of all that, at the eleventh hour the government snatched victory from the jaws of defeat.
Throughout the debate it appeared that the government's proposals to place every UK email and phone account under surveillance was doomed. Conservative, Liberal Democrat and Cross Bench peers had vowed to oppose them. The Joint Human Rights Committee of the Parliament had expressed 'grave reservations' about the plans. Independent legal analysis had ruled them unlawful. Grim faced Home Office Officials sitting in the Advisors Box of the Lord's had admitted they were expecting the worst. But in spite of all that, at the eleventh hour the government snatched victory from the jaws of defeat.
[source: EDRI-gram - Number 22, November 19,2003]
(2003-11-20) [Computer World] The battle over what is public and what is private has always been a difficult one but it's become even more so with the introduction of the internet and camera phones, says district court judge David Harvey. Speaking at a meeting of the Internet Safety Group in Auckland yesterday, he said the right to privacy in a public place is limited compared with an individual's expectation of privacy at home behind closed doors.
"There is no prohibition against taking photographs on a public street. Indeed, there is no prohibition against taking a photograph of a private property from a public street and I would think most New Zealanders would be quite unhappy if they were told they couldn't take a photo under such circumstances." The question before law makers and courts however, is not so much how or where the photograph was taken, but what is done with the photograph. (article by Paul Brislen)
[source: Computer World onLine]
(2003-11-19) [theStar] Lawmakers have yet to get a handle on the best way to combat computer "spyware" that tracks Internet users' online activity, a nonprofit policy group said on Tuesday. Rather than drafting narrowly targeted legislation to outlaw specific snooping tactics, Congress should establish broad online privacy rights to protect against secret online surveillance, the Centre for Democracy and Technology said.
Several lawmakers have introduced bills targeting spyware, but they are so broadly written that they could outlaw largely innocuous technologies like "cookies" and software-update utilities which pose little threat (from Reuters)
[source: theStar online]
(2003-11-18) [TechNewsWorld] Refrigerators soon will be able to read the RFID tags of their contents. These "smart ice boxes" then will alert their owners to fetch another carton of milk, toss an out-of-date product or cut back on unhealthy dietary items.
Radio Frequency Identification, or RFID, is an old technology that has been quietly revolutionizing business and industry. Back in World War II, the British used RFID signals to confirm the identity of their own aircraft in flight. Today, RFID has permeated our society. It is used to track everything from pets to prisoners to products. Over the past several years, the technology has helped optimize inventory and business systems and has made consumers' lives more convenient. But some industry watchers say RFID has the potential to become a threat to user identification security. (Article by Jack M. Germain)
[source: TechNewsWorld online]
(2003-11-18) [The Enquirer] Raising new concerns about the gathering of data on consumer purchases and the possible sharing of that information, privacy advocates are criticizing Procter & Gamble Co.'s push to put computer chips in the packaging of its products.
The smart-tag program already has gained the support of corporate giants such as Wal-Mart Stores Inc., which has mandated that its top 100 suppliers use the tags by 2005 to help it track inventory. At less than a nickel each, the computer chips already are being tested on pallets and shipping cases, helping companies keep store shelves stocked. But a test this summer of individual packages of P&G's Max Factor Lipfinity lipstick at an Oklahoma Wal-Mart store has raised new criticism. (Article by Cliff Peale)
[source: The Enquirer Online]
(2003-11-18) [The Shorthorn] Information Technology officer says reading online policies is key to keeping personal information where it belongs. Students often skim through the privacy terms of an online agreement without thinking twice. But maybe they shouldn’t.
The World Privacy Forum released a study last Tuesday stating that professional job search Web sites and some internship and scholarship sites are possibly violating privacy laws when collecting personal information. The forum, a nonprofit organization focused on researching privacy issues, also launched last week. (Article by Erica Bryant)
[source: The Shorthorn Online]
(2003-11-18) [Java Developer's Journal] Responding to increased demand for the integration of biometrics technologies into Java technology-based smart cards, Precise Biometrics, which develops and sells user-friendly biometric security solutions based on fingerprints, is cooperating with Sun to expand its combined fingerprint and smart card technology, Precise Match-on-Card, to support Sun's Solaris operating system. [ "Watch your fingers!" ]
This new partnership will enable Sun to offer its customers the advantages of combining biometrics and Java Card technology for identity management within IT security solutions, such as Web Single Sign-On. In addition to its compatibility with Java smart cards, the solution has been made compatible with Sun's Solaris operating system and will be offered by Precise Biometrics as a software development kit specifically designed for application providers. This solution is a result of Precise Match-on-Card, Precise Biometrics' technology for fingerprint matching on smart cards.
[source: JDJ on the Web]
(2003-11-17) [Web Services Journal] The Liberty Alliance has approved and published its Phase 2 specifications, which round out the existing Liberty Federation Framework and cement the foundation for the Liberty Identity Web Services Framework. The final Liberty Phase 2 specifications are now available for download to be used for Liberty-enabled product and service development. The Alliance also recently announced initial member implementation plans for the Phase 2 specifications, a best practices "owners manual" to help Liberty implementers use the specifications in a privacy-compliant manner, and the formation of a new group, the Services Group, to develop service interface specifications that exploit the Liberty Identity Web Services Framework.
To assist implementers in developing identity-based Web services that are secure, privacy enhancing, and in compliance with local laws, the Alliance has released its final "Privacy and Security Best Practices" guide, available for download. The guide offers information regarding privacy laws and fair information practices in various regions and sectors, suggestions to combat common network vulnerabilities, and the Alliance’s recommendations regarding privacy and security.
[source: WSJ On the Web]
(2003-11-17) [Information Week] Both sides appeared to agree that consumers must be given notice if the chips are used on individual products and need to be educated about RFID's benefits and potential for misuse. Consumers must be given notice if radio-frequency identification chips are ever used on individual products and packaging, and they need to be better educated about the technology's benefits and potential for misuse. Privacy advocates and RFID backers appeared to agree on at least that much Saturday at a workshop on RFID and privacy involving several hundred representatives of RFID technology producers and users, privacy advocates, academics, and technologists. But the conference also showed that the two sides have a lot of work to do to find common ground.
The workshop was billed as the first major effort to bring together RFID backers and opponents. While companies with a stake in RFID, such as Intel, NCR, Philips Semiconductors, and ThingMagic (which makes RFID readers) attended and made presentations, the audience appeared weighted toward RFID skeptics. Some companies with big RFID plans, including Wal-Mart and Proctor & Gamble, didn't attend, while representatives of others, including Gillette, were present but did not speak. (Article by Rick Whiting)
[source: On the Web]
(2003-11-17) [Toronto Star] The Canadian privacy community has long circled January 1, 2004 on its collective calendar as the privacy equivalent of Y2K. The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's national private-sector privacy legislation, kicks into full swing on that date, following three years of limited applicability to federally regulated entities such as banks and broadcasters.
Despite a widespread campaign warning organizations to examine their data collection and disclosure practices to ensure compliance with the law, the consensus is that the majority of Canadian organizations will not be compliant come January 1. (Article by Michael Geist)
[source: TheStar.com]
(2003-11-16) [Brandenton] Blue Cross Blue Shield of Michigan and Aetna have scoured the records of millions of patients, employees and health care providers in search of terrorists. Company representatives said Blue Cross Blue Shield has checked 6 million Michigan files and Aetna has checked 13 million nationwide, including 18,000 in Michigan, The Detroit News reported Sunday. None of the people whose records were checked was linked to terrorism, the insurers said.
"It's kind of disgusting," said Virginia Rezmierski, an adjunct associate professor in the Gerald R. Ford School of Public Policy and School of Information at the University of Michigan. "At what point did Blue Cross Blue Shield become an arm of the government, as opposed to a service provider for people?"
[source: On The Web]
(2003-11-14) [Business Week] Nearly 10 million Americans has been a victim of identity theft. It's no wonder, then, that it has been dubbed the "all-American crime of the Information Age." Consumers who use a credit card, Social Security card, or driver's license –- which means just about everyone -- is at risk. A Sept. 3 Federal Trade Commission survey revealed that identity theft cost consumers and businesses $53 billion last year alone.
IBM Chief Privacy Officer Harriet Pearson talks about things -- mostly simple -- companies can do to help prevent identity theft. A former attorney, Pearson is now responsible for designing information-collection and -use policies and practices across Big Blue. On Nov. 7, she spoke with me about how she believes IBM (IBM ) and other corporations can help staunch the data-crime wave. (Interview by Jane Black)
[source: Business Week Online]
(2003-11-14) [Government Computer News] A variant of the MiMail worm became widespread today, trying to steal personal and financial information from users of an online payment service.
The worm sends an e-mail attachment with a dialog box that requests PayPal.com account information, including credit card numbers. The new variant does not automatically capture financial data from the recipient’s computer, however. (Article by William Jackson)
[source: GCN.com]
(2003-11-12) [Forbes] In February, 8 million VISA, MasterCard and American Express (nyse: AXP - news - people ) credit-card numbers were stolen from a server in Omaha, Neb., by ambitious computer hackers. Last month, Romanian cyber-terrorists, reportedly operating out of Internet cafes, were extorting companies and defrauding customers worldwide. Black-market brokers are mingling in chat rooms selling stolen credit-card numbers to the highest bidder.
(Article by Matthew Miller)
[source: Forbes.com]
(2003-11-14) [itWeb - the technology news site] Questions of privacy dominated a panel discussion held at the Security Special Interest Group (SSIG) in Cape Town recently, as members of the audience seemed more concerned about protecting personal information than they were about security.
Current EU privacy laws forbid the export by companies registered there of personal information to companies in another country whose laws do not equate with those in Europe. 'The question is -- can this country afford to implement the same standards as those of the EU?' lawyer Jos Floor asked. (Article by Paul Vecchiatto)
[source: Webb article]
(2003-10-16) [Datainspektionen] Landstinget i Uppsala län planerade att låta länets 300 000 invånare ta del av sina sjukjournaler via Internet. Ett försök med 2 000 patienter var igång när Datainspektionen, som bl.a. är tillsynsmyndighet enligt vårdregisterlagen, beslutade att granska projektet.
Datainspektionens styrelse har nu fattat beslut i tillsynsärendet och kommit fram till att utlämnandet strider mot vårdregisterlagen, som reglerar datorjournaler och patientadministrativa system. Där finns en bestämmelse som säger att endast den som behöver uppgifterna för sitt arbete får ha direktåtkomst till vårdregister.
[source: Webbnotiser]
(2003-11-03) [Datainspektionen] Datainspektionen har granskat hur patientuppgifter behandlas i vårdregister hos 13 offentliga och privata vårdgivare. Resultaten presenteras i en rapport i dag. Ofta saknas helt information till patienterna. Dessutom används i några fall trådlösa nätverk där patientuppgifterna inte har tillräcklig IT-säkerhet.
[source: Webbnotiser]
(2003-11-06) [Datainspektionen] Dom från EG-domstolen om personuppgifter på webbplats EG-domstolen har i dag kommit med ett s.k. förhandsavgörande där man på begäran av Göta Hovrätt har prövat tillämpningsområdet för det dataskyddsdirektiv som personuppgiftslagen (PuL) bygger på.
Fallet gäller en konfirmandlärare i Småland som bötfälldes av Eksjö Tingsrätt för sin webbpresentation av några kollegor. Presentationerna var skrivna i jagform, men utan personernas samtycke. Domen överklagades till Göta Hovrätt som vände sig till EG-domstolen med en begäran om att den skulle pröva om PuL är förenlig med EU:s dataskyddsdirektiv.
[source: Webbnotiser ]
(2003-11-05) [EDRI] On 15 October the German Federal Government adopted a draft new telecommunication act. The draft aims, inter alia, at implementing the European Directive on privacy and electronic communications (2002/58/EC), but will not introduce the spam-ban described in Article 13 of the Directive. In Germany spam will be banned through an update of the Act against Unfair Competition, and remain subject only to civil law.
[source: EDRI-gram - Number 21, November 5,2003]
(2003-11-05) [EDRI] A coalition of technical, legal and political experts launched a campaign on 4 November to ensure that electronic voting can be trusted by voters and politicians across Europe.
Voters and candidates must be able to feel certain that voting intentions are accurately recorded. If any doubts do arise then all stake-holders must be able to verify and audit all aspects of the election. Without these protections, debacles such as the count of votes in the US presidential elections of 2000 are likely to be repeated on this side of the Atlantic. This could destroy voter trust in the electoral system and politics more widely.
Computerised voting is inherently subject to programming error, human error, equipment malfunction and malicious tampering. Due to the opaque nature of the technologies involved, which few understand, it is crucial that electronic voting systems provide a voter-verifiable audit trail. This is a permanent record of each vote that can be checked for accuracy by the voter before the vote is submitted, and is difficult or impossible to alter after it has been checked. This must be achieved without compromising the secrecy and integrity of the ballot.
[source: EDRI-gram - Number 21, November 5,2003]
(2003-11-05) [EDRI] On 22 October, EDRI members FIPR and Privacy International held a public meeting to assess proposed government legislation to retain and snoop on information about the phone and Internet activity of everyone in the UK.
Speakers from the government side tried to convince a sceptical audience that the plans were a necessary and proportionate response to crime. Representatives of the Home Office, Northamptonshire County Council and the Department for Work and Pensions said that access to this data was essential to their work. However, the head of information rights at the Department for Constitutional Affairs said that they still had concerns about the regulation of some government agencies. Meanwhile technical, industry and Parliamentary speakers described the many problems with the legislation. Oversight, cost and legality all remain to be addressed to the satisfaction of many UK experts and Parliamentarians.
[source: EDRI-gram - Number 21, November 5,2003]
(2003-11-05) [EDRI] Privacy and civil liberty activists across Europe have presented their Big Brother Awards to governments, companies and persons that have excelled in violating the right to privacy. In a weeks period Award ceremonies were held in Germany (24 October), Spain (25 October), Austria (26 October) and Switzerland (1 November).
[source: EDRI-gram - Number 21, November 5,2003]
(2003-11-05) [EDRI] On the 31st of October, the European Directive on Privacy in electronic communications (2002/58/EC) went into force. Only a minority of countries has implemented the directive in time, but any European citizen can now directly appeal to the directive in their national courts.
Most recently, the Dutch Lower House accepted the spam-ban on 4 November, voting unanimously for the new Telecommunication Law. Attempts from a social-democrat member of parliament to introduce penal sanctions for spamming and to extend the spam-ban to recipients on the workfloor failed, in spite of much anti-spam rhetoric from the governing liberal and christian-democrat parties. The House did accept an amendment that requires proof of consent from the senders of unsolicited communication, making it more difficult for the direct marketing industry to rent-out address-lists and play 'tell-a-friend' tricks.
In Austria the Directive was implemented in time. The anti-spam regulation went into force in August. Like the Dutch, the Austrian government refused to extend the spam-ban to all natural persons, including e-mail addresses used at work.Unlike the Dutch though, Austria already had opt-in protection for all recipients under the old telecommunication law. Anti-spam legislation already deteriorated when the E-Commerce directive was implemented, forcing the Austrians to suddenly create an opt-out list. Since the implementation of the new Privacy directive some enforcement agencies state that even that opt-out list no longer applies to non-consumers since the new telecom law explicitly allows them to be spammed, as long as an opt-out-possibility is mentioned in the spam-message.
See Press Release
[source: EDRI-gram - Number 21, November 5,2003]
(2003-11-14) [EDRI] On 4 November there was a heated debate in the Judicial Affairs Committee (JURI) of the European Parliament about the proposed new directive on the Enforcement of Intellectual Property Rights. According to Social Democrat Willy Rothley from Germany "the EU Commission aggressively attempts to exceed its authorities and assume competencies it does not hold. Senselessly, it deals with lawmaking as though it were a patchwork quilt, and thus actually destroys the law."
[source: EDRI-gram - Number 21, November 5,2003]
(2003-11-13) [EPIC] A new study by the World Privacy Foundation found individuals seeking employment are subject to a host of new privacy risks including sale of their personal information. The study, authored by Pam Dixon of the newly-formed World Privacy Forum, focuses on over 50 job search web sites and in-store kiosks that collect application information electronically. Serious questions are raised regarding compliance with Equal Employment Opportunity laws. Title VII prohibits employment discrimination based on race, color, religion, sex or national origin; employers must inform applicants that supplying this information is voluntary. However, several job seeking sites do not make this disclosure, and seem to require the applicant to disclose the information.
[source: EPIC Alert vol 10 no 23]
(2003-11-13) [EPIC] The Federal Communications Commission announced that it will hold a forum on Voice over Internet Protocol (VoIP) issues on December 1, 2003, and that it will then issue a Notice of Public Rule Making (NPRM) "to inquire about the migration of voice services to IP-based networks and gather public comment on the appropriate regulatory environment for these services". The FCC has invited individuals from a variety of backgrounds in industry and government to present information on issues related to VoIP. The hearing will discuss regulation and classification questions, including those raised in the Vonage v. Minnesota Public Utilities Commission case. The discussion will be open to public comment after which time the FCC intends to follow with a Report and Order on the VoIP issues raised in the proceeding.
[source: EPIC Alert vol 10 no 23]
(2003-11-13) [EPIC] On Sunday, November 9, former Vice President Al Gore was welcomed by a crowd of 3,000 at Constitution Hall in an event sponsored by the American Constitution Society and moveon.org. Speaking about freedom and security, Gore brought the crowd to their feet when he called for a repeal of the Patriot Act. He stated, "I believe the Patriot Act has turned out to be, on balance, a terrible mistake, and that it became a kind of Tonkin Gulf Resolution conferring Congress' blessing for this President's assault on civil liberties."
The former Vice President criticized the Bush administration for seeking an overwhelming amount of privacy and secrecy for its own activities, whilst intruding further into the lives of private citizens by increasing surveillance and detention powers. He stated, "Where civil liberties are concerned, they have taken us much farther down the road to an intrusive, Big Brother-style government -- toward the dangers prophesized by George Orwell in his book '1984' -- than anyone ever thought would have been possible in the United States."
[source: EPIC Alert vol 10 no 23]
(2003-11-13) [EPIC] The Congressional Research Service (CRS) of the Library of Congress has presented to Congress a report entitled, "Election Reform and Electronic Voting Systems: Analysis of Security Issues." The report was written in response to rising concern and questions regarding new electronic voting systems after recent allegations that these systems use software that is subject to alarming security vulnerabilities. The report analyzes the controversy surrounding direct recording electronic (DRE) voting machines - the first fully computerized voting system - while putting it in the larger context of election practices and voting machine development. It details the types of threats and vulnerabilities that could jeopardize the voting process, as well as the specific complaints broached by security experts.
[source: EPIC Alert vol 10 no 23]
(2003-10-30) [EPIC] On October 21, the United States Postal Service proposed new requirements for sender identification for users of "discount" mail rates. Under the system, discount mail senders would have to identify themselves in order to "facilitate investigations into the origin of suspicious mail." The notice cited a report issued by the President's Commission on the United States Postal Service that recommended a system of "intelligent mail" for the country, one in which all senders would be required to identify themselves on the mail piece. The Postal Service explained that "requiring sender-identification for discount rate mail is an initial step on the road to intelligent mail."
On October 28, the Postal Service announced that it would withdraw the notice requiring sender identification and reissue it, claiming that the notice, "has caused misunderstanding in some quarters."
[source: EPIC Alert vol 10 no 22]
(2003-10-30) [EPIC] As radio frequency identification (RFID) technology is being applied in more and more ways, the U.S. and local governments are coming up with their own applications and MIT is getting out of the business altogether. The U.S. government announced plans to employ RFID tags in supplies for the nation's defense by 2005. The Department of Defense presented plans earlier this month to attach RFID tags to all military supplies -- from tanks and weapons to crates of food -- in order to keep better tabs on the items.
On a local level, the San Francisco Public Library wants to keep better watch over the city's library books. The plan, also predicted to be functional by 2005, would tag the library's 2 million books, CDs and other materials that are accessible to patrons. Library officials assure that the tags would be deactivated before a patron left with the books, but concerns still linger over the retention and accessibility of the information generated by the tags. Finally, MIT announced that RFID technology has gone beyond the university's mission. The technology, now beyond the research stage and into the deployment stage, has been handed off to the global research company EPCglobal to oversee international standards. The transfer rids MIT of not only the technology for a time, but also the barrage of public relations attacks from those opposed to the privacy implications.
[source: EPIC Alert vol 10 no 22]
(2003-10-30) [EPIC] The Directive on Privacy and Electronic Communications (2002/58/EC), that entered into force in July 2002, must be transposed in European Union (EU) Member States by October 31, 2003. It provides, as a general rule, for the confidentiality of communications and related traffic data, and prohibits, in particular, any unauthorized listening, tapping, storage or other type of interception or surveillance of electronic communications by persons other than users, without users' consent. The Directive prohibits, for example, unsolicited commercial e-mail ("spam") without the recipient's consent (opt-in), and protects mobile phone users from precise location tracking and surveillance. It also provides that EU Member States may, for reasons of national security, defense, public security and the prevention, investigation and prosecution of criminal offences, enact legislation providing for the retention of traffic and location data by telecommunications operators.
So far Austria, Belgium, Denmark, and Italy have implemented the opt-in regime for unsolicited commercial e-mail, while eight EU countries have adopted laws providing for the retention of traffic data for periods ranging from three months to a year. A Council of the EU Framework Decision is currently being drafted that would compel every Member State to implement EU-wide uniform data retention rules for periods ranging from 12 to 24 months.
Directives are a form of EU regulation that are binding for Member States, but only as to the result to be achieved. They leave the national authorities choose the form and methods of their implementation. The rules of law applicable in each Member State are the national laws implementing the directives and not the directive itself. However, the directive has a "direct effect" on individuals: it grants them rights that can be upheld by national courts in their respective countries if their governments have not implemented the directive by the set deadline.
The text of Directive 2002/58/EC is available at: http://register.consilium.eu.int/pdf/en/02/st03/03636en2.pdf
[source: EPIC Alert vol 10 no 22]
(2003-10-30) [EPIC] More than 50 consumer and civil liberties organizations from 22 countries around the world have urged Internet Corporation for Assigned Names and Numbers (ICANN) President Paul Twomey to limit the use and scope of the WHOIS database to its original purpose (the resolution of technical network issues) and to establish strong privacy protections based on internationally accepted privacy standards. ICANN recently met in Carthage, Tunisia, to discuss the privacy issues surrounding the use of the WHOIS database.
ICANN is the non-profit corporation that is assuming responsibility from the United States Government for coordinating certain Internet technical functions, including the management of the Internet domain name system. WHOIS is a database that contains information for every registered Internet domain. It includes registrant's contact information (names, postal and e-mail addresses, and telephone numbers of technical, administrative and billing contacts); registration status and expiration date; as well as technical information about the domain name.
[source: EPIC Alert vol 10 no 22]
(2003-10-30) [EPIC] On October 22 the Senate unanimously passed anti-spam legislation that would set a federal standard, preempting the laws of more than 35 states that have attempted to reduce the number of unsolicited commercial e-mails. The legislation, S. 877, known as the Can-Spam Act of 2003, was enacted to attack the 13 billion e-mails that clog e-mail in-boxes across the globe each day. Yet, the preemption provision would do away with some stronger state privacy regulations, such as the regulations that just were signed into law by Gov. Gray Davis in California.
On July 18, thirteen consumer protection and public interest groups, led by EPIC, sent a letter to Congress urging enactment of certain key provisions to assure strong anti-spam protection. Those provisions included an opt-in system for the receipt of bulk commercial e-mails, private rights of action, international collaboration and no preemption of stronger state laws. None of these provisions are included in the Can-Spam Act; in fact, just the opposite; the Act sets out an opt-out scheme, provides for no private right of action or international collaboration, and preempts all state law.
In addition, the Act appears to legalize non-fraudulent spam, and includes a very broad exception for any business that has obtained a recipient's e-mail address in any way from the recipient. The broad exceptions will likely lead to more and more businesses requiring an e-mail address to access the company's site or for any transaction with a recipient, allowing the business to then legally spam.
[source: EPIC Alert vol 10 no 22]
(2003-10-22) [SFGate.com] "Your patient records are out in the open... so you better track that person and make him pay my dues." A woman in Pakistan doing cut-rate clerical work for UCSF Medical Center threatened to post patients' confidential files on the Internet unless she was paid more money.To show she was serious, the woman sent UCSF an e-mail earlier this month with actual patients' records attached. The violation of medical privacy - apparently the first of its kind - highlights the danger of "offshoring" work that involves sensitive materials, an increasing trend among budget-conscious U.S. companies and institutions.
U.S. laws maintain strict standards to protect patients' medical data. But those laws are virtually unenforceable overseas, where much of the labor- intensive transcribing of dictated medical notes to written form is being exported. (article by David Lazarus in San Fransisco Chronicle)
[source: SFGate website]
(2003-10-22) [VOA] Big Brother is watching. That famous phrase from literature carries the warning that the authorities may be keeping a curious eye on our activities. But who knew Big Brother was riding along in our cars? Many people have heard of flight data recorders, the so-called "black boxes" that often capture the final moments before an aircraft crash. The devices record important data that can help investigators find the causes of such incidents. Far fewer have heard of the airbag module (ABM) found in millions of cars and trucks manufactured since the 1990s by General Motors and Ford. The module is a computer about the size of a pack of cigarettes.
(article by John Birchard)
[source: VOA web site]
(2003-10-23) [Out-Law.com] A summary of best practices was published on October 22, 2003 for those trading outside their own national borders, covering the use of technology to protect on-line data to aid compliance with the growing body of privacy laws in Europe, the US and Australia.
According to Ernst & Young's 2003 Global Information Security Survey, 90% of global organisations say information security is of high importance for achieving overall objectives, but only 34% of organizations claim to be compliant with applicable security-driven regulations. See whitepaper
[source: out-law.com web site]
(2003-10-24) [DMNews] The European Union's Privacy and Electronic Communications Directive takes effect in all member states Oct. 31. The directive requires marketers to receive prior consent from consumers before using a recorded message during telemarketing or sending unsolicited e-mail and faxes.
Direct marketers contacting consumers in any of the 15 EU member states via e-mail, fax or telephone with a recorded message, or who are renting a list of consumers in EU member states for marketing via one of these methods, must receive consent. The ban does not apply to existing customer relationships, however, so marketers can continue communicating to existing customers as long as they provide a legitimate mechanism to opt out. In addition to being implemented in member states, many candidate countries are enacting similar laws. In total, the directive eventually will become policy in 25 nations. The directive is also to be reviewed by the European Parliament within three years of its application by member states.
[source: Online DMNews]
(2003-10-24) [redandblack.com] Right now you probably have a program on your computer that tracks your Internet traffic and secretly broadcasts it over the Internet, and chances are you installed it yourself.
Known as "spyware," these programs usually end up on your computer when you've downloaded another program. Some programs -- especially free ones -- come bundled, and to install one program, you must also install the other. This is usually a condition to which you must agree in order to use the free program. These programs run silently in the background, tracking each Web site address you surf, and then communicate that data back to their creators, who in turn sell it to advertisers.
(Article by Josh Brown)
[source: redanadblack website]
(2003-10-22) [EDRI] The Dutch Big Brother Awards were presented in front of a 300 person audience in Amsterdam on the 11th of October. With the Awards the person, company, governmental institution and initiative are rewarded for damaging the privacy of citizens in 2003 the most. The 4 winners of 2003 are: minister of Justice Piet Hein Donner; several major lawyer firms; the Immigration and Naturalisation Service and the legal proposal to introduce compulsory identification.
According to the jury minister Donner seems to have a personal mission in the destruction of the right to privacy. The minister was awarded for a long list of proposals and determined efforts to shift the balance between privacy and safety. The minister is in particular responsible for the law proposal for compulsory identification for all persons starting at 14 years.
[source: EDRI-gram - Number 20,22 October 2003]
(2003-10-22) [EDRI] The European Union has taken steps towards the creation of an EU-wide health identity card. By 2008 there will be a new card with a microchip that can store a range of biometric and personal data. Approved by Union ministers in Luxembourg the plastic disk will slide into the credit-card pouch of a wallet or purse.
The European Health Insurance Card is intended to replace forms currently used by travellers who fall ill in other EU countries. Eventually it will replace a plethora of other complex forms needed for longer stays. See more info on European health insurance card http://europa.eu.int/comm/employment_social/news/2003/feb/hicard_en.html
[source: EDRI-gram - Number 20,22 October 2003]
(2003-10-22) [EDRI] A legal opinion commissioned by EDRI-member Privacy International and provided by the law firm Covington & Burling concludes that mandatory data retention plans in the EU are unlawful. The opinion, which relates to an EU framework directive on the retention of communications data, has profound ramifications for ten EU states that have implemented, or are planning to implement, measures to place communications users under blanket surveillance.
The opinion states: "The data retention regime envisaged by the (EU) Framework Decision, and now appearing in various forms at the Member State level, is unlawful. Article 8 of the European Convention on Human Rights (ECHR) guarantees every individual the right to respect for his or her private life, subject only to narrow exceptions where government action is imperative. The Framework Decision and national laws similar to it would interfere with this right, by requiring the accumulation of large amounts of information bearing on individuals' private activities. This interference with the privacy rights of every user of European-based communications services cannot be justified under the limited exceptions envisaged by Article 8 because it is neither consistent with the rule of law nor necessary in a democratic society."
[source: EDRI-gram - Number 20,22 October 2003]
(2003-10-22) [EDRI] European discussions can't agree on the appointment of a European privacy-czar. The European parliament insists on choosing Joaquín Bayo Delgado, who has no experience in data protection issues, as the new EU Data Protection Supervisor. The Council favours the Dutch Data Protection Commissioner Peter Hustinx.
The procedure of choosing an EU Data Protection Supervisor started one year ago.
[source: EDRI-gram - Number 20,22 October 2003]
(2003-10-08) [EDRI] The UK police are coming to the end of their second phase trials on Automatic Number Plate Recognition (ANPR) and preparing to roll out the technology nationwide next summer. ANPR tracks cars using the omnipresent CCTV systems and specialised fixed and mobile cameras. It can use government databases to detect untaxed, unroadworthy and uninsured vehicles. It also means that over time a record of the majority of car journeys around the country will be built up.
Privacy advocates have warned that 'function creep' will mean that these records become used for many purposes unrelated to their initial justification. They could allow the government to bring forward plans to introduce congestion charging across the country, charging drivers for all journeys according to the level of traffic on the road. They could be used to enforce speed restrictions across long distances. And they will certainly be used in all sorts of police investigations and even civil cases such as divorce.
[source: EDRI-gram - Number 19, 8 October 2003]
(2003-10-08) [EDRI] The appeal court of Zurich (Obergericht) recently published an interesting ruling about hyperlinks. Linking to an anti-racism page which contains links to hate sites does not breach Swiss anti-racism law. A former professor of computer science was accused of racism by setting a link to the site www.stop-the-hate.org. Both in first instance in 2000 and in this appeal he was fully acquitted on all charges.
This American-based website is online since 1992 and contains annotated hyperlinks to hate sites. The public prosecutor argued that the former professor had made the content of the site his own. To prove this, the prosecutor launched the remarkable theory that the web should be seen as a book, because of the 'forward' and 'back' buttons in browsers melting linked sites in unity.
[source: EDRI-gram - Number 19, 8 October 2003]
(2003-10-08) [EDRI] Human rights experts in Romania issued harsh criticism at the government resolution adopted last week to set up an Integrated Information System (SII), as they consider it as extremely dense, imprecise and giving room to arbitrary interpretation. The SII is a database that will centralise the information held by all public institutions regarding natural and legal persons, that may likely become the electronic arm of the Romanian Intelligence Service (SRI).
[source: EDRI-gram - Number 19, 8 October 2003]
(2003-10-08) [EDRI] Last week in the Netherlands a legal proposal became public to introduce compulsory identification for all persons from the age of fourteen. People unable to immediately show a valid passport, drivers license or (cheaper) identity-card risk a fine with a maximum of 2.250 Euro. Every police-officer including military police, any extra-ordinary law enforcement agent and any police related supervisor/watcher may ask for proof of identity. According to the explanatory statement the police must have a reasonable cause related to her task to ask for ID, but there is no need for an actual suspicion of an offence.
[source: EDRI-gram - Number 19, 8 October 2003]
(2003-10-08) [EDRI] The French Data Protection Authority, the CNIL, considers the current use of chip-cards for public transport a serious danger for privacy. The cards combine identity-data with travel data like point of entrance to the subway, date and time, and even exact route in case the passenger switches route halfway.
[source: EDRI-gram - Number 19, 8 October 2003]
(2003-10-08) [EDRI] The European Commission is proposing to integrate biometric identifiers into visas and residence permits for third country nationals. Later this year proposals will follow for biometrics in passports of EU citizens, likely to be similar to the visa proposal.
The Commission and member states want to store two types of biometric data into a contactless chip (RFID). A facial digital image will the 'primary biometric identifier in order to ensure interoperability'. As reported in EDRI-gram nr 13, facial images have been chosen by the International Civil Aviation Organisation (ICAO) as the primary biometric identifier. The US require facial images in passports for countries to be able to take part in the visa waiver program. Specifically, the US is demanding biometrics into EU passports from 26 October 2004 onwards.
The second biometric identifier in the chip will be digital images of two fingerprints. As all EU countries already have criminal databases with fingerprints this biometric identifier will make it possible to do automated one-to-many checks. The fingerprints taken for visa will be stored into a new Visa Information System (VIS).
[source: EDRI-gram - Number 19, 8 October 2003]
(2003-10-17) [EPIC] The Transatlantic Consumer Dialogue, which represents EU and U.S. consumers, has launched an online survey to assess consumers attitudes on spam email. The results of the survey will be announced to senior officials from OECD governments and representatives of the international press in February 2004.
The survey is available at: http://www.net-consumers.org/erica/spamsurvey.htm
[source: EPIC Alert vol 10 no 21]
(2003-10-17) [EPIC] On October 8, the High Tech Child Safety Roundtable met at the George Washington University to discuss the use of wireless networking to track the location of children for their safety. Specifically, the panel focused on embedding RFID tags in children's clothing, shoes, pins, ID cards, and other items to monitor the location of a child. However, the systems discussed would track children only while within range of a school or other location that had deployed the technology; such system would be similar in effect to video surveillance or a parent watching their child. The Roundtable further addressed technical implementation issues and data access problems arising from such a system.
See the High Tech Child Safety Roundtable site at: http://www.kidlocate.org
[source: EPIC Alert vol 10 no 21]
(2003-10-17) [EPIC] ICANN will hold a WHOIS Workshop on October 29, 2003 in Carthage, Tunisia. At this workshop, privacy concerns of Internet domain name registrants will be discussed. The Non-Commercial Users Constituency is proposing several policy changes to WHOIS that would minimize the amount and type of personal data that an individual must disclose and protect such sensitive personal data from unrestricted public access. The Public Interest Registry, which manages the .ORG domain, has also made recommendations to improve privacy for WHOIS data.
The ICANN Carthage WHOIS Workshop Agenda is available at: http://www.icann.org/carthage/whois-workshop-agenda.htm
[source: EPIC Alert vol 10 no 21]
(2003-10-17) [EPIC] A new report by Jupiter Research found that personalizing websites for marketing purposes was costly and ineffective. The report, entitled "Beyond the Personalization Myth," stated that companies would be better served by improving site basics, such as navigation, rather than tailoring pages according to information gathered about individual visitors. The study also found that operating a personalized Web site cost more than four times more than operating a "comparable dynamic site." Jupiter reported that users were not overly fond of personalized sites, due greatly to privacy concerns. In fact, more than 25 percent of consumers surveyed by Jupiter said they avoided Web site customization because of concerns that marketers would misuse the information.
Information about the report is available at: http://news.com.com/2100-1038-5090716.html
[source: EPIC Alert vol 10 no 21]
(2003-10-17) [EPIC] On October 9, the European Parliament overwhelmingly passed a resolution concerning airlines' transmission of personal data to the United States. In doing so, the Parliament made clear the position of the European Union on negotiations with the U.S. The resolution not only details various concessions the European Commission must require of the United States, but requires that the Commission act within two months, or else be brought to the Court of Justice by the European Parliament for failure to do so.
The text of the October 9 European Parliament resolution is available at: http://www.epic.org/privacy/airtravel/profiling/epresolution.html
[source: EPIC Alert vol 10 no 21]
(2003-10-17) [EPIC] The Senate, in a bipartisan effort, unanimously passed the Genetic Information Nondiscrimination Act of 2003 (S.1053) earlier this week. The legislation, sponsored by Sen. Olympia Snowe (R-ME), prohibits discrimination in health insurance by employers' group health plans and by health insurance issuers on the basis of genetic information. Group health plans and health insurers are forbidden to limit enrollment or vary premiums on the basis of genetic information or on the basis of an individual's request for genetic tests or services such as genetic counseling. They are also prohibited from requesting or requiring genetic tests.
[source: EPIC Alert vol 10 no 21]
(2003-10-17) [EPIC] The proposal by the Immigration Minister to implement a system of biometric identification in Canada has met with a blast of public opposition since its inception last year. In the face of concerns over terrorism, and in the interest of furthering commerce and travel, the program aims to encode biometric identifiers -- such as iris scans, fingerprints and hand geometry -- onto ID cards in order to guarantee that each Canadian is who he or she claims to be. A biometric identifier is any physical characteristic of a person that can be recorded and matched against a person.
An interim report issued by the House of Commons quotes the Minister as stating: "The card provides certainty because of the security around its issuance and the technology used in the card." However, the report referred to polls and the testimony of several experts to show that support for the biometric IDs is not strong. The report also cautioned that biometric IDs "could have wide implications for privacy, security and fiscal accountability," and proposed that the government receive more feedback from the public-at-large.
[source: EPIC Alert vol 10 no 21]
(2003-10-02) [EPIC] Privacy International recently released a global survey entitled "Freedom of Information and Access to Government Records Around the World." Compiled by David Banisar, director of the Freedom of Information Project at Privacy International, the survey reports that more than 50 countries around the world now have Freedom of Information laws, more than half of which were passed in the last decade.
Read Privacy International's Freedom of Information Survey at: http://www.freedominfo.org/survey.htm
[source: EPIC Alert vol 10 no 20]
(2003-10-02) [EPIC] On October 2nd, the Office of Management and Budget (OMB) issued guidelines to federal agencies on the implementation of privacy provisions of the E-Government Act of 2002. The guidelines govern how the agencies handle and protect individuals' personally identifiable information.
View the OMB's guidelines at: http://www.whitehouse.gov/omb/memoranda/m03-22.html
[source: EPIC Alert vol 10 no 20]
(2003-10-27) [EPIC] The Identity Theft Resource Center (ITRC) published a report detailing the effects of identity theft on victims. The report was based on a survey of 173 victims. The report found that victims spend an average 600 hours clearing their names. Thirty-four percent reported that they could not clear all the negative items from their credit reports. Seventy-three percent reported that personal information was used to open new credit reports, further showing that credit grantors' practices are inadequate. And, almost 75 percent of victims learned about the theft in a "negative" way, meaning that they were alerted to the presence of fraud by debt collectors or by being denied credit.
Read the Identity Theft: The Aftermath report at: http://www.idtheftcenter.org/idaftermath.pdf
[source: EPIC Alert vol 10 no 20]
(2003-10-02) [EPIC] On September 17, EPIC Executive Director Marc Rotenberg testified before the House Subcommittee on Commerce, Trade and Consumer Protection on cross border consumer fraud and the reauthorization of the Federal Trade Commission (FTC). The FTC desires a broad extension of its powers to help combat consumer fraud originating from both inside and outside U.S. borders.
EPIC testified in support of closer cooperation with foreign law enforcement agencies in fraud investigations, but offered a number of recommended revisions to ensure that democratic values, including privacy, government accountability and transparency, were duly incorporated. The FTC proposal allows for broad disclosure of information concerning individuals and entities within the United States. It includes provisions that would allow the FTC and foreign agencies to gain access to financial and electronic information for an extensive period of time before having to notify the target of the investigation. The proposal also includes two exemptions from open record obligations under the Freedom of Information Act.
[source: EPIC Alert vol 10 no 20]
(2003-10-02) [EPIC] Concluding that it is "precisely the sort of system that Congress sought to prohibit when it enacted the Privacy Act of 1974," EPIC has called for a halt to the Computer Assisted Passenger Prescreening System (CAPPS II). The recommendation was made in response to a Transportation Security Administration (TSA) notice exempting the controversial passenger profiling project from key requirements of the Privacy Act of 1974.
The TSA notice, published in the Federal Register on August 1, 2003, provided more details on the agency's plans to collect and use personal information than an earlier notice published in January 2003, but still failed to address fundamental privacy questions. Furthermore, in a significant expansion of the program's purpose, TSA announced that CAPPS II will not only search for suspected terrorists, but also for those wanted for violent crimes.
[source: EPIC Alert vol 10 no 20]
(2003-09-25) [New York Times] A Pentagon office that became steeped in controversy over privacy issues and a market in terrorism futures was shut down by Congress today as the Senate passed and sent to President Bush a $368 billion military measure that eliminates money for it.
The Pentagon spending plan for 2004 adopted by the Senate says that the office, the Information Awareness Office, which had been headed by Adm. John M. Poindexter, should be "terminated immediately" while a few projects under its control could be shifted elsewhere within the Defense Advanced Research Projects Agency. The House passed the measure on Wednesday. (Author: Carl Hulse)
[source: nytimes.com September 25, 2003]
(2003-09-26) [ZDNet Australia] The Australian Communications Authority (ACA) has convened a working group to study the privacy and security implications of mapping telephone numbers to Internet Protocol numbers ahead of a trial next year.
The Australian ENUM Discussion Group, which is hosted by the ACA and looks at issues involved in the Australian trial of ENUM, on Monday established a working group to study the interrelated issues of privacy and security.
ENUM stands for e164 Number Mapping. e164 is the International Telecommunications Union (ITU-T) code for the international telephone address number plan. Under the ENUM scheme, telephone numbers will be mapped to an IP address ending in e164.arpa. (Author: James Pearce)
[source: News September 26, 2003]
(2003-09-25) [The Register] Unrepentant online auction site eBay has confirmed that it will give personal data to government officials without a subpoena.
(by: Andrew Orlowski)
[source: Web September 25, 2003]
(2003-09-23) [presstelegram.com] Last week, JetBlue's chief executive, David Neeleman, apologized to about 150 passengers who complained that the airline divulged information to a Defense Department contractor that was working on a program to track high- risk passengers. Sharing that information was against JetBlue's privacy policy.
The letter to the 150 passengers promised to make things right and assured those who complained that none of the information was shared with the government and all of it was destroyed. Several of those who complained have sued JetBlue. The apology was the right thing to do, but there were more than a million other passengers whose privacy was breached. They have to wonder what JetBlue was thinking when it voluntarily gave the contractor more than 5 million itineraries of more than 1.1 million passengers, including their names, addresses and phone numbers. That information was then matched with other lists that would divulge passengers' Social Security numbers, financial histories and occupations, according to a report in The New York Times.
See also The Privacy Manager, September 24, 2003
[source: Web news September 23, 2003]
(2003-09-25) [EDRI] Confusion still reigns within the UK government over plans for a national ID card. Home Secretary David Blunkett (the Minister of Internal Affairs) has continued to push his scheme despite opposition from Cabinet colleagues.
Though it is unclear whether carrying a card would be mandatory, Blunkett said at the very least no-one should be able to work or claim benefits without one. While little principled opposition seems to exist within the government, the Treasury has refused to fund the cards. The Home Office has therefore suggested that citizens should be forced to pay around 60 Euro each to obtain a card. Independent cost estimates are far higher, at around 140 Euro per card.
[source: EDRI-gram - Number 17, 25 September 2003 ]
(2003-09-25) [EDRI] The European Commission is planning a new Directive on privacy in the workplace, in 2004 or 2005. After two consultations with the social partners, in August 2001 and October 2002, the Commission is convinced of the necessity of such a new directive. 3 main grounds for the new legislatory framework are: technological advances that increasingly blur the boundary between work and private life; globalisation and the outsourcing of human resources and finally; 'post-11 September insecurity'.
In preparation of the new directive the European Industrial Relations Observatory (EIRO) published a very interesting and detailed comparative legal study on privacy and e-mail at the workplace. Art. 29 Working Document (29.05.2002): http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2002/wp55_en.pdf
[source: EDRI-gram - Number 17, 25 September 2003 ]
(2003-09-25) [EDRI] Industry and human rights campaigners have condemned new data retention proposals from the UK's Home Office (Ministry of Internal Affairs).
The draft Statutory Instruments (secondary legislation) would approve 'voluntary' retention by Internet Service Providers, but preserve the power of the Home Secretary to impose a compulsory code. Data on customers would be retained for up to 12 months, and could be accessed by a large number of government bodies for many different purposes. While the 'Snoopers Charter', that enabled access for almost every government-related agency was officially withdrawn in June 2002, the new proposals show no change of heart. In fact, only one of the 24 categories of bodies that were to be given access to data in 2002 has been dropped from the Government's list, while 3 new ones were added. ISPs are worried about the cost and privacy implications for their customers. Human rights groups have criticised the regulations as a draconian invasion of privacy that is unlikely to provide the benefits claimed by its intelligence agency and law enforcement supporters.
[source: EDRI-gram - Number 17, 25 September 2003 ]
(2003-09-25) [EDRI] On 15 September the Frankfurt District Court confirmed an earlier partial ruling in favour of the German web anonymiser AN.ON. According to this ruling, there was no legal ground for the request by the German Federal Bureau of Criminal Investigation to record data about visitors to a specific website (see EDRI-gram 16 and 17).
The initiators of the project are confident about the outcome of their other appeal against the court order to hand over the single record they stored under the initial order. However, they seem less confident about the legislator. They urgently call on all users of the service to "defend the right to anonymity against plans in the German Parliament’s Upper House to change this right into an obligation for providers for data retention."
[source: EDRI-gram - Number 17, 25 September 2003 ]
(2003-09-25) [EDRI] Verisign, the US based registrar of the .com and .net top level domain, refuses to stop redirecting internet users to its own search engine Site Finder. Since 15 September everybody who makes a mistake in typing a web address is re-directed to their website, instead of just getting an error message. In spite of massive protests from internet users, technicians, the IAB and ICANN, Verisign doesn't seem willing to change its policy.
In a posting on the collective weblog CircleID privacy-expert Richard M.Smith states that Verisign is using the services of Omniture to set a cookie. Through this, the company is able to watch all future mistakes people are making in typing a domain name, besides analysing their search behaviour and gathering sensitive information like the previously visited web address. With 4 to 7 million misguided visitors per day, Verisign is violating the privacy of internet users worldwide on an extremely large scale. This type of secretive monitoring is prohibited by the European Directive on privacy in the telecommunications sector (2002/58/EC). Via the Recitals 24 and 25 and Article 5.3 the Directive requires explicit consent of each internet user for cookies and similar monitoring devices. "So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user’s terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned."
[source: EDRI-gram - Number 17, 25 September 2003 ]
(2003-09-25) [EDRI] Negotiations about airline passenger data between the European Commission and the US are stuck but both parties have agreed to solve their differences before the end of this year. On 22 September, Asa Hutchinson, US Under Secretary for Border & Transportation Security met with EU Commissioner Bolkestein, but that didn't result in any public change of the US position.
Since March the US is demanding passenger data from European airlines flying to or through the US. The data is send to the US prior to flight departure and used by the US to screen passengers and apply a risk assessment. The passenger name record data (PNR) consist of 39 data items: departure and return flights, connecting flights, special services required on board the flight (meals such as Kosher, Halal) and payment information such as credit card numbers. Airlines might loose landing rights if they do not comply with US demands.
[source: EDRI-gram - Number 17, 25 September 2003 ]
(2003-09-10) [EDRI] On 2 September the Danish network on the World Summit on the Information Society hosted a conference on Freedom of Expression in the Information Society. The conference addressed global tendencies of regulation of freedom of expression, the new Council of Europe Declaration on Freedom of Communication on the Internet, intellectual property rights, (traditional) media, access to information and the role of libraries.
A number of concerns was raised, both in relation to the WSIS process as such, and in relation to the topics discussed. For instance the general tendency of amputating internationally recognised freedom of expression principles in the WSIS docs, the legislative tendencies post 9-11 and how to preserve individual privacy and freedom, the future role of libraries in providing free information access and local capacity-building, the fear of diversity as the underlying current for censorship, the ambiguity between the principle of limited liability for ISPs and the principle of self-regulation, and not least the balance between intellectual property rights and access to information, which is one of the most controversial topics in the global development of the Information society. A conference report with resumes of workshop discussions and plenary speeches will be available shortly. As a follow-up to the conference, The Danish Institute for Human Right is drafting concrete suggestions for the WSIS Declaration of Principles and Action Plan to feed into the upcoming Prepcom3 meeting in Geneva (15-16 September). Conference information http://www.una.dk/wsis
[source: EDRI-gram - Number 17, 10 September 2003 ]
(2003-09-10) [EDRI] The legal victory for privacy was short-lived for the German web anonymiser AN.ON. Only 2 days after a German Court suspended a previous verdict to build a back door in the anonymiser, German police obtained a new court order to raid the offices. On Friday 29 August, the Lower District Court in Frankfurt /Main gave a search warrant for the rooms of the AN.ON project at the TU Dresden to find a protocol data record. This single record had been recorded by the back door, showing the IP-address of a visitor to a specific website. On Saturday, police officers went to the apartment of the director of the Institute of System Architecture at the Faculty of Information Technology and demanded the surrender of the data record. Apparently, police threatened to confiscate the hardware on which the anonymiser service is run, unless the data were turned over. To avoid further damage to the TU Dresden, the data record was handed over.
According to the project partners' opinion, the decision by the Lower District Court is unlawful. Since the suspension of the duty to disclose information on 27 August by the District Court in Frankfurt/Main, it was clear there was no obligation to surrender until the final decision in the main case was made. The project partners are going to lodge an appeal against this decision.
[source: EDRI-gram - Number 17, 10 September 2003 ]
(2003-09-10) [EDRI] On 12 September the moratorium expires on the transfer of European passenger-data to the United States. Already harsh words are being exchanged between EU institutions, one of the last realms of diplomatic kindness. "The violation of EU legislation is continuing and with it the rights of European citizens are being violated." This judgement from an official Working Document of the European Parliament is aimed at the Commission, which, according to the document, "in the 6 months since the adoption of Parliament's resolution (on the transfer of Airline Passenger's PNR data to U.S. authorities) has made very little progress with regard to ensuring that EU data protection legislation is observed".
On 5 May EDRi launched a campaign against the PNR transfer, with letters passengers can send to the national Data Protection Authority in their country to request an investigation of the illegal transfer of their personal data.
[source: EDRI-gram - Number 17, 10 September 2003 ]
(2003-09-18) [EPIC] The EPIC Alert is now being featured as a resource with the Privacy & FOI Project, a division of the World Legal Information Institute that aims to make searchable from one location all of the databases specializing in Privacy and FOI law and make them available through any of the Legal Information Institutes across the globe. Other sites included in the project are databases of cases from the Canadian Privacy Commissioner, Federal Privacy Commissioner of Australia, and New Zealand Privacy Commissioner, and the Privacy Law & Policy Reporter from Australia.
Visit the Privacy and FOI Law Project at: http://www.worldlii.org/int/special/privacy/
[source: EPIC Alert vol 10 no 19]
(2003-09-18) [EPIC] The U.S. General Accounting Office released five reports on various aspects of domestic security last week. The reports cover the subjects of smart cards, biometrics, maritime security, ID fraud, and transportation security.
To learn more about the reports: Electronic Government: Challenges to the Adoption of Smart Card Technology, Information Security: Challenges in Using Biometrics, Maritime Security: Progress Made in Implementing Maritime Transportation Security Act, but Concerns Remain, Security: Counterfeit Identification and Identification Fraud Raise Security Concerns, and Transportation Security: Federal Action Needed to Enhance Security Efforts.
[source: EPIC Alert vol 10 no 19]
(2003-09-18) [EPIC] The United States is working diligently to convince the European Union to participate in the proposed Computer Assisted Passenger Profiling System (CAPPS II), the airline passenger security system created to prevent suspected terrorists from boarding airplanes. If the EU does choose to participate in the system as proposed, all travelers entering or flying through the U.S. will be required to provide their name, address, birth date, and home telephone number when purchasing a plane ticket. Each passenger's information would then be shared with the US government and then checked against various private databases, terrorist watch lists, and felony warrant lists. Passengers would be assigned a color code to inform screeners whether to allow them to board the flight, or question, detain or arrest them.
Since March 5, 2003, the EU has cautiously allowed the U.S. access to the Passenger Name Records (PNRs) of its citizens. But the CAPPS II program will not be accepted so simply by the European Commission, which has rejected the demands of the currently proposed program and insisted on "adequate protection." Despite its initial concession of PNR data, the EU continues to press for a framework that is legally secure. Frits Bolkestein, the EU Commissioner in charge of customs issues, has written a letter to U.S. authorities demanding improvements and warning of a confrontation. He noted some improvements from the original CAPPS II proposal, but stands steadfast on the charge that there are too many other privacy threats that lie unprotected by this system. Bolkestein is scheduled to discuss the issue further with representatives of the US Department of Homeland Security on September 22.
[source: EPIC Alert vol 10 no 19]
(2003-09-04) [EPIC] This Fall, Congress is likely to amend the federal Fair Credit Reporting Act (FCRA) and in doing so, may override or "preempt" state laws on affiliate sharing of personal information. Affiliate sharing is the practice of transferring personal information amongst companies with the same corporate ownership. Information transferred can include name and contact information, Social Security Number, purchase information, account numbers and balances, and even the information individuals write on checks. Affiliate sharing is invasive because individuals have no access to the data and cannot obtain an accounting of disclosures; it is used to generate unwanted marketing and telemarketing; and because it puts personal information at risk of being misused.
Affiliate sharing presents a large and growing risk to individuals' privacy. It is likely to be the most important financial services privacy issue in the next decade, especially as companies increase profiling, cross-selling, and telemarketing activities using affiliate-shared information. Companies, such as Citibank, that have 1,900 affiliates, or Bank of America, with over 1,000 entities in its corporate family, can transmit personal information for these purposes to an unlimited degree under federal law.
[source: EPIC Alert vol 10 no 18]
(2003-09-04) [EPIC] On September 3, the Federal Trade Commission released a report on identity theft in the United States based on a survey of more than 4,000 U.S. adults. According to the FTC, last year identity theft cost victims $5 billion in out-of-pocket expenses, as well as 300 million hours of their time trying to fix damage caused by the crime. The FTC survey shows that in all 27.3 million Americans were affected by identity theft over the past five years, including 9.9 million people in the last year alone. Although many groups have issued studies showing the immense harm caused by identity theft, the FTC has "never been clear as to the scale of the problem," and agency officials were apparently surprised by the findings.
The FTC found that 49 percent of all the 4057 respondents did not have any idea whatsoever how their identity came to be purloined, while 22 percent cited theft and another 12 percent claimed the information was stolen in the course of a transaction. Businesses incurred $48 billion in loss as a result of identity theft; but most of this is borne not by credit card issuers, but rather by merchants who accept the transaction.
[source: EPIC Alert vol 10 no 18]
(2003-09-04) [EPIC] The Electronic Privacy Information Center (EPIC) and Privacy International released the sixth annual Privacy and Human Rights survey on September 5, 2003. The report reviews the state of privacy in over fifty-five countries around the world. It is the most comprehensive report on privacy and data protection ever published.
Privacy and Human Rights 2003 documents several new challenges and developments in the international privacy arena in the past year. Advancements in technology, combined with a shifting international political climate, have set the stage for increased government experimentation with new systems of surveillance, affecting many fundamental human rights, including privacy. Under the banner of anti-terrorism, several nations have implemented traveler profiling tools and databases, and new systems of identification. Most prominent among these is the United States' CAPPS II system, an airline passenger profiling system that uses passengers' personal data and records in an attempt to detect potential security threats.
Other surveillance methods gaining prominence include the use of biometrics and computerized national ID databases and cards. Biometrics -- the science of using physical identifiers such as fingerprints, iris/retina, or facial patterns -- has received increasing attention from governments and law enforcement agencies in the past year. Several nations are also developing new identification and authentication systems, such as smart cards and digital identification cards. Japan launched a computerized national ID system which compiles the personal data of residents into a centralized national database that can be accessed by the government. Other countries, including Austria, Belgium, Germany, Hong Kong, Russia and Spain are establishing similar systems.
[source: EPIC Alert vol 10 no 18]
(2003-08-26) [Detroit Free Press] Overlooked in the battle between the recording industry and those who download copies of their favorite music has been the privacy of all those who surf the Internet or send e-mail. As a result of a recent court decision in the case between the Recording Industry Association of America and the Internet service provider Verizon Online, every consumer's identity, home address and phone number are now available to anyone who can fill out a one-page form. Congress can and should step in to fix this problem immediately.
Article by Peter Swire, Detroit Free Press.
[source: Detroit Free Press]
(2003-07-28) [Washington Post] Retailers, marketers and an array of Internet service providers are expanding their collection and use of consumers' e-mail addresses and other personal information, despite broad assurances that they will protect individual privacy and honor consumers' choices about how much marketing they want to receive.
Almost all companies promise not to sell consumer data. But many don't mention that such information is rented . This means that the list owner won't release the data to an outside marketer, but it will send messages to the list on the outsider's behalf. Targeted lists available for rent number in the thousands, including those from magazines, professional organizations and even political-interest groups such as Republicans for Jesus.
Article by Jonathan Krim, The Washington Post.
[source: Washington Post, July 28, 2003]
(2003-07-01) [Washington Post ] Commercial selling of customer information is now part of normal business operations. As an example, the California-based company Gateway Learning Corp. is advertising about making customer information available for a fee, despite promising the customers that this would never happen.
To parents interested in buying the popular Hooked on Phonics learn-to-read programs, the company made a firm promise on its Web site: It would never sell or rent their personal information to other marketers. But that pledge was empty. In the pages of a marketing trade publication, Gateway Learning Corp., the product's California-based parent company, was advertising to rent the list of Hooked on Phonics buyers to other marketers.
At a price of $95 per 1,000 names, companies could arrange to have unsolicited advertising sent to 105,936 people who bought Hooked on Phonics in the past year. Included in the information made available to other marketers: ages of the buyers' children.
Article by Jonathan Krim, The Washington Post.
See also the Security Advisor, July 10, 2003 by Wayne Rash
[source: Washington Post July 1, 2003, Page A01]
(2003-08-27) [EDRI] 15,000 Danish voters in the council of Ishoj, near Copenhagen, are invited to experiment with internet voting during the next elections for the European Parliament, in June 2004. According to the spokesperson from the European Parliament, Soren Sondergaard, the Danes aim at a high voter participation, especially among the young. 'At the same time it is cheaper and more efficient when the votes are to be counted,' he added. To overcome security concerns, the Ishoj voters will also have to pass by a 'real' ballot box to cast their votes.
[source: EDRI-gram - Number 16, 27 August 2003 ]
(2003-08-27) [EDRI] A few days ago, the Sunday Times revealed plans from British government officials to fit all cars in Britain with personalised spy-chips. The micro-chip will automatically report a wide range of offences including speeding, road tax evasion and illegal parking. Roadside sensors will be able to monitor all private cars wherever they travel.
But plans for Electronic Vehicle Identification (EVI) are not limited to the UK. The European Directorate General Energy and Transport aims to develop a standardised electronic, unique identifier for motor vehicles, interoperable all over Europe. In December 2002 the Commission gave a grant to the umbrella organisation ERTICO (made up of different stake-holders in the field of implementation of transport telematics systems and services) to do a feasibility study. Results are expected in the summer of 2004. See Commission workingplan Electronic Vehicle Identification
[source: EDRI-gram - Number 16, 27 August 2003 ]
(2003-08-27) [EDRI] An appeal-court in Germany suspended an earlier order to build a backdoor into Germany's most famous anonymising service. The backdoor was removed immediately. According to the original court-order, the IP-addresses of all visitors to a certain website had to be logged and handed-over to the federal criminal police office. This vital information was not disclosed by the developers, but discovered by an attentive user of the service who close-read the open source.
[source: EDRI-gram - Number 16, 27 August 2003 ]
(2003-08-21) [EPIC] The Tampa Police Department has abandoned the face recognition software used in conjunction with its video surveillance cameras, citing the system's failure to recognize anyone wanted by the authorities over a two-year period. Tampa authorities first used the technology during the 2001 Super Bowl -- without any success -- when they systematically scanned every attendee's face to compare it with a list of suspects' mug shots. The system used in Tampa never led to any arrests or positive identifications, though occasionally wrongly identified innocent people as wanted felons.
Face recognition technology has never been proved to be reliable. Studies sponsored by the U.S. Department of Defense have shown the system is accurate only fifty-four percent of the time and can be significantly compromised by changes in lighting, weight, hair, sunglasses, subject cooperation, and other factors. Likewise, tests on the face recognition systems in operation at Palm Beach Airport in Florida have shown the technology to be ineffective and error-ridden, leading authorities to forego use of face-recognition equipment. In Virginia Beach, Virginia, police use of the technology has not resulted in the apprehension of a single wanted person in over a year.
[source: EPIC Alert vol 10 no 17]
(2003-08-06) [EPIC] A recent study conducted by computer science researchers at Johns Hopkins University has found that electronic voting systems contain "significant security flaws" that may subject election results to fraud by both voters and those involved in election administration. process.
The researchers conducted the study using source code found on the Internet that is believed to be the proprietary code of the AccuVote-TS touch-screen voting system produced by Diebold Election Systems. For more information, see the Johns Hopkins researchers' report Analysis of an Electronic Voting System, and general information about electronic voting is available at VerifiedVoting.org
[source: EPIC Alert vol 10 no 16]
(2003-08-06) [EPIC] The Transportation Security Administration (TSA) has released a supplementary Privacy Act notice outlining its plans to administer the Enhanced Computer Assisted Passenger Profiling System (CAPPS II). The agency claims that CAPPS II will enhance transportation security by relying upon private-sector database companies to identify passengers, and a set of secret procedures to perform a risk assessment on travelers. Passengers will be assigned a risk score by CAPPS that could subject them to heightened security screening or detention.
In a significant expansion of the program, TSA announced that CAPPS II will not only scan for suspected terrorists, but also for those wanted for violent crimes.
[source: EPIC Alert vol 10 no 16]
(2003-07-22) [EPIC] Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) recently located internal public relations documents detailing how Radio Frequency Identification (RFID) developers plan to offset public opposition to the widespread implantation of the tracking devices in consumer products. The documents, prepared by Fleishman-Hillard, a public relations consultancy, detail how such a campaign may unfold.
In related news, retail giant Wal-Mart announced on July 9 that it is shelving plans to tag consumer products with RFID chips, after it had urged 100 of its top suppliers to begin tagging products by 2005. Wal-Mart had joined forces with Gillette to develop a "smart-shelf" system, where shelves outfitted with RFID readers would track Gillette products.
[source: EPIC Alert vol 10 no 15]
(2003-07-22) [EPIC] Three months after the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule became effective, the first updates on enforcement activities reflect the law's early implementation difficulties.
On June 24, the Office for Civil Rights (OCR), which is responsible for the enforcement of the Privacy Rule within the Department of Health and Human Services, provided an update to the National Committee on Vital and Health Statistics (NCVHS), a public advisory body to the Secretary of Health and Human Services. Stephanie Kaminsky of OCR testified that the office received 637 complaints prior to the hearing date. Of those, OCR had closed 124 cases and 513 remained open. A total of 260 cases were accepted for investigation after OCR determined that the complaint dealt with an issue, time frame and entity over which OCR has proper jurisdiction. No cases have been referred to the Justice Department for criminal prosecution. Complaints to the OCR have raised such issues as the inability of individuals to access their information, inadequate safeguards for health information, deficient provision of Notice of Privacy Practices, and insufficient minimum necessary procedures to limit disclosure in provider offices and facilities.
[source: EPIC Alert vol 10 no 15]
(2003-07-03) [EPIC] The Annenberg Public Policy Center at the University of Pennsylvania released a study last week that questions the success and viability of consumer education on Internet privacy policies. The most startling finding is that 57 percent of adult home Internet users believe that websites with privacy policies do not share their personal information with third parties. Written by Prof. Joseph Turow, the study also found that most U.S. Internet users have no idea that websites manipulate, extract and share data to create profiles about their web visitors.
In other findings, 94 percent of the report respondents agreed with the statement that "I should have a legal right to know everything that a web site knows about me." Eighty-five percent thought that a law that gave individuals the right to control how websites use and share information would either be "very" or "somewhat" effective in protecting privacy. For more information, see Joseph Turow, Americans and Online Privacy: The System is Broken, Annenberg Public Policy Center, June 2003:
[source: EPIC Alert vol 10 no 14]
(2003-06-19) [EPIC] The Data Protection Working Party (Article 29) released opinions on a variety of privacy issues including EU-US passenger data sharing and the Whois database.
The Article 29 group is an independent European advisory body on data protection and privacy that was set up by the 1995 European Community Data Protection Directive (1995/46/EC). Among its tasks, the Article 29 group examines any question covering the application of EU Member States' measures adopted under EC privacy directives in order to contribute to their uniform application and gives the European Commission an opinion on the level of protection in the European Community and in third countries. It also advises the Commission on any proposed EC measures affecting natural persons' freedoms and rights with regard to the processing of their personal data. In an opinion released this week, the Article 29 group addressed the adequacy of the protection that the "Undertakings", an arrangement reached between the U.S. government and the European Commission to deal with passenger data sharing, and sought to establish a clear legal framework for such transfers to comply with data protection principles. For more information, see Article 29 Opinion on Whois Database and Article 29 Opinion on EU-US Passenger Data Sharing
[source: EPIC Alert vol 10 no 12]
(2003-06-06) [EPIC] In honor of the 100th anniversary of George Orwell's birth, EPIC hosted a conference on June 2 entitled "Privacy and Technology: Looking Back, Looking Ahead" at the National Press Club in Washington, DC. Members of EPIC's advisory board discussed the challenges of new technologies as they relate to privacy and surveillance, the role of law in safeguarding freedom, and the role of technology in safeguarding freedom.
Some of the presentations were: porofessor Daniel Solove of Seton Hall Law School, discussed the risks of the Defense Department's proposed Terrorism Information Awareness (TIA) system and the government's expanding use of third-party information brokers; Dr. Barbara Simons of the U.S. Association of Computing Machinery discussed data mining problems and issues related to false positive results; Professor Jerry Kang of the UCLA Law School presented two different visions of pervasive computing and how they might alter legal paradigms; Dr. David Chaum's discussion centered on voting technology and the simultaneous need for voter anonymity and voting audit trails; For more information, see EPIC Privacy and Technology Conference Website
[source: EPIC Alert vol 10 no 11]
(2003-08-12) [EDRI] After public criticism the German ministry of economy (Bundeswirtschaftsministerium) is withdrawing plans to discontinue the central yearly statistics on wiretapped telephones. In an article in 'Focus'-magazine the ministry announced its intention to change the next draft of the telecommunications law accordingly. A week later the ministry issued a press release denying the abolishment plan.
[source: EDRI-gram - Number 15, 12 August 2003 ]
(2003-07-30) [EDRI] The UK supermarket chain Tesco has confirmed that it is testing a controversial surveillance system that tracks customers in one of their stores in Cambridge. Anyone buying certain products will have their picture taken. Twice.
The system uses Radio Frequency Identifiers (RFIDs) to trigger CCTV cameras to take a picture of the customer. In the test RFIDs are embedded in Gillette razor blades. When the customer takes a package of Gillette from the shelf a RFID reader will trigger a camera to take a picture. At the checkout another RFID reader will trigger a second camera. The camera's are monitored by security personnel in the shop who will compare the two pictures. The system is supposedly designed to detect theft.
[source: EDRI-gram - Number 14, 30 July 2003 ]
(2003-07-16) [EDRI] Developers of Radio Frequency Identification (RFIDs) are making plans to 'neutralize opposition' to their new technology. The strategy is discussed in confidential documents from the Auto-ID Center, in which RFID developers work together. The documents were uncovered by Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) through a security glitch on the Auto-ID Center' website.
[source: EDRI-gram - Number 13, 16 July 2003 ]
(2003-07-16) [EDRI] On 4 July, the European Commission organised a technical workshop on Privacy Enhancing Technologies (PETS) in Brussels. 39 experts, from Europe, the USA and Canada were invited to participate, ranging from Commission officials to academic experts, from data protection authorities to business representatives. Amongst the invitees were also 2 EDRI-members; FIPR and Bits of Freedom
[source: EDRI-gram - Number 13, 16 July 2003 ]
(2003-07-16) [EDRI] International technical standards bodies (ISO) and civil aviation bodies (ICAO) are preparing plans for 'globally interoperable machine readable passports'. The technology should consist of RFIDs (Radio Frequency Identification) that contain 'details that enable the machine-assisted identification of the presenter'. These technical descriptions point at passports that can transmit biometric data over a radio frequency.
[source: EDRI-gram - Number 13, 16 July 2003 ]
(2003-07-02) [EDRI] On 26 June, the Finnish Ministry of Labour released a draft new version of the law protecting privacy at the workplace. The proposal would make it legal to read employees' email under certain circumstances. It also contains new regulations on camera surveillance (allowed as long as a single employee is not singled out) and drug testing (widely allowed at work, but not as part of job interviews).
The proposal was sternly criticised in the Finnish media for giving too much leeway to how companies can monitor their employees. Many people are especially concerned about the fact that employers will be allowed to check all kind of emails employees receive while they are sick or on holiday. The traffic data and information in the headers can easily reveal sensitive personal information that should fall under privacy protection. Secondly, even if the proposal categorically forbids employers to open private emails, it is not always possible to know beforehand whether email is private or work related. Emails often contain both kinds of material.
[source: EDRI-gram - Number 12, 2 July 2003 ]
(2003-07-02) [EDRI] In a remarkably high-speed procedure, the EU Council plans to oblige all Member States of the Union to introduce chips containing biometric data on their passports within little less than a year. Allegedly, this step is taken to meet a U.S. deadline set on 26 October 2004. After that date, according to a law passed eight months after the 11 September attacks, the U.S will demand visas from all travellers entering the U.S. who don't have DNA code, fingerprints, or iris scans embedded in their travel documents.
It is an open secret however, that the filing of biometric features and their inclusion on personal documents have for a long time been on the wishlist of EU law enforcement officials, in particular those associated with the Schengen Information System (SIS). The EU itself plans to introduce biometric data on visas and residence permits for third country nationals, as part of its fight against illegal immigrants. These data will be stored in the SIS, apparently along with biometric data of EU citizens who have come into conflict with the law.
[source: EDRI-gram - Number 12, 2 July 2003 ]
(2003-06-19) [EDRI] The UK Government has finally admitted that the public are overwhelmingly opposed to the idea of a national ID card. In response to a parliamentary question from member of parliament Anne McIntosh, Home Office minister Beverley Hughes has confirmed that over 5,000 of the 7,000 responses to a public consultation on the issue were opposed to the scheme.
The latest press reports suggest that the government intends to press on with its plans for ID cards - this time using the crime and asylum arguments that they explicitly rejected in 2002 when they launched their consultation.
[source: EDRI-gram - Number 11, 19 June 2003 ]
(2003-06-19) [EDRI] On 4 June EDRI-member EFFI organised a second annual Big Brother Ceremony. The award in the public sector was given to YTV, a firm that controls public transport in the Helsinki region. The company received the award for its new electronical ticket system that stores individual passenger information, including social security numbers. Anonymous cards were available, but in practice only for business purposes, at a much higher price. Only after a long struggle with the the Finnish data protection agency YTV finally changed their mind and concluded that the system could also work without any identification of the passengers.
For the Big Brother Award in the business category there was really only one candidate. Sonera, the biggest telephone company in Finland, was caught analysing the traffic data from the mobile phones of at least 50 customers, both employees and outsiders, in order to find out who had been leaking confidential corporate information to the press. The analysis didn't produce a suspect. At least 5 senior staff members were arrested (but later released) including the company executive officer (CEO). They will most likely face criminal charges.
[source: EDRI-gram - Number 11, 19 June 2003 ]
(2003-06-04) [EDRI] According to an article in the Irish Times of 26 May, the Irish Data Protection Commissioner Mr Joe Meade has twice threatened to begin High Court proceedings against the Government for using an "invalid" Ministerial Direction to unconstitutionally store citizens' phone, fax and mobile call data for 3 years.
In April 2002 the Minister for Public Enterprise issued directions to telecommunication operators to keep detailed, non-anonymous traffic data for a three-year period. When Meade revealed this during a conference on data retention in February, he stated that government was also preparing mandatory data-retention for internet providers.
[source: EDRI-gram - Number 10, 4 June 2003 ]
(2003-06-04) [EDRI] Japanese electronics maker Hitachi has told the Japanese press that it has started talks with the European Central Bank (ECB) about the use of RFIDs in euro banknotes. RFIDs (radio frequency identification) are very small radio chips that transmit a unique serial code when a reader is placed in their proximity. RFID were originally designed for logistic purposes; to track and trace items in transport or stored in warehouses. But the mini-tags are also getting embedded in consumer products, as described in the previous EDRI-gram. This raises great privacy-concerns, since the technology makes it possible to track and trace individual consumption-patterns. The RFIDs have no access control. Anyone with a reader can detect them and read the serial number. The only possibility to protect privacy would be to remove or disable the tag when buying the product in a store.
The RFIDs in euro banknotes could help against counterfeiting and make it possible to detect money hidden in suitcases at airports. But the technology would also enable a mugger to check if a victim has given all of his money. If RFIDs are embedded in banknotes, governments and law enforcement agencies can literally 'follow the money' in every transaction. The anonymity that cash affords in consumer transactions would be eliminated. Curiously the European Central Bank has stated recently in an biannual report that "the full extent of euro counterfeiting is very small".
[source: EDRI-gram - Number 10, 4 June 2003 ]
(2003-08-07) [New York Times] Juju Jiang is an audacious if ultimately clumsy predator in the immeasurable world of cybercrime. Though rare, a PC can be a door to identity theft.
According to the federal agents who prosecuted him, Mr. Jiang had unwitting help from his victims: customers at Internet terminals at 13 Kinko's copy shops in Manhattan entered personal information that he gathered with software he had installed there to capture their every keystroke.
Mr. Jiang, 25, pleaded guilty last month to computer fraud and software piracy (article by Lisa Napoli)
[source: The New York Times on the Web]
(2003-06-02) [MessageLabs] The most startling finding this month was that MessageLabs found spam accounted for 1 in every 1.8 (55.1%) of the 133.9 million emails scanned from its global network of control towers. This represents an increase of 38.6% over last month's figures and an increase of over 40.6 % on the year to date and also indicates that the majority of email received by business enterprises is now spam.
The volume of spam now facing computer users every day has now far surpassed the point of being a nuisance and is now causing significant productivity losses and IT costs at businesses across the world, noted Mark Sunner, Chief Technology Officer at MessageLabs. MessageLabs also found that the ratio of viruses in email was 1 in 145.3, an increase of 47.4% since April. May saw the spread of two significant viruses, Fizzer and Sobig.B (aka Palyh), both of which were intercepted by MessageLabs before any of the major anti-virus vendors had a viable update available (for more information see the charts provided in the MessageLabs Intelligence report).
[source: Web]
(2003-06-23) [Europemedia.net] UK think tank Demos has published a report that says Britons hold a paradoxical love/hate relationship toward mobile phones, and must be encouraged to embrace mobile technology if they are not to miss out on the social benefits of 3G. But is there awareness of privacy implications?
The main example given by the report of a 'killer application' capable of winning the public over to next generation phones if marketed in the right way, was that of 'location-aware' devices, handsets that automatically send and receive information about their location in relation to other users. This marks a potential shift away from public concerns over 'big brother' surveillance to a less centralised approach where location information is shared among users.
[source: Europemedia.net daily newsletter]
(2003-06-06) [Infoworld.com] ... [Voice over IP - Telephone on the Internet] is finally reaching the point where it's a technology you wouldn't mind having in your enterprise. But what is being done to keep someone from intercepting that stream of voice information and listening to your phone conversations? At this point, almost nothing - hence the security hole.
Talks with engineers at both IP phone manufacturers and Ethernet switch companies revealed the point of weakness. If someone gains access to the edge switch that the IP phone is attached to, it's possible to create a mirror port and siphon off a copy of everything being said.
[source: Web]
(2003-06-25) [New York Times] If the law intended to keep children off adult sites in libraries proves too limiting of free expression, the libraries should go back to court.
Editorial deplores Supreme Court ruling upholding law requiring libraries to use filters on all computers with Internet access to get federal aid; holds laws goal of preventing children from accessing pornography is legitimate; sees ruling dening adults ability to see substantial amount of data online; urges libraries to weigh new challenge to law
[source: Web]
(2003-07-14) [EU] E-POLL, a EU-sponsored project for a new form of voting, enjoyed a good start during five tests in Italy and France. They also plan to extend it on suitable occasions in the future in Poland, for example.
More info at E-POLL.
[source: IST Results]
(2003-07-07) [The New York Times Company] A Silicon Valley start-up company on Tuesday plans to unveil a new approach to sending secure electronic messages and protecting data, a simpler alternative to current encryption systems, which use long digital numbers, called public keys. The new company, Voltage Security, which is based here, instead uses another unique identifier as the public key: the message recipient's e-mail address.
[source: Web]
(2003-07-02) [EU] The European Commission has recognised that Argentina provides an adequate level of protection of personal data. This will allow personal data to flow freely from the EU to Argentina, without additional safeguards being needed to meet the requirements of the EU Data Protection Directive. The Commission's decision was taken in the light of advice from Member States' supervisory authorities.
[source: European Information Society Newsroom]
(2003-06-30) [Europemedia.net] Wolverhampton City Council's initiative forms part of a three-year project entitled "Webocracy", funded by the European Commission's Information Society Technology programme and involving partners from seven other EU countries.
[source: Europemedia.net daily newsletter]
(2003-06-18) [Europemedia.net] The Electronic-highway Platform Nederland says it is not against distance voting, but would like to see the risks reduced by fully testing the online voting system locally before it is used in a high-profile test case.
Electronic-highway Platform Nederland (EPN), the Dutch foundation for promoting the proper use of information and communication technology (ICT) in society, has come out against the deployment of internet and telephone voting without proper testing - a view shared by ICT companies. The Dutch Second Chamber is to start discussing a bill that would give the green-light for an experiment in distance voting in 2004, allowing Dutch citizens abroad to use the internet to cast their vote in the EU parliamentary elections. The international character of such an experiment would make internet voting the target of a publicity stunt by hackers the world over, alleges EPN, in whose Expert Group, the Consumentenbond (Dutch consumer association), various municipalities and several large ICT companies are represented. The timing of such a sabotage attempt would be especially sensitive, as it would coincide with the Netherlands take over of the EU presidency. EPN is not against distance voting, but would like to see the risks reduced by fully testing the online voting system locally before launching it in a high-profile experiment, says EPN director, Peter van der Wel. Internet voting has its detractors. Dutch privacy activist Maurice Wessling of Bits of Freedom claims that online voting violates voting secrecy guaranteed under the Dutch constitution. Unlike the voting booth, voting through a publicly located computer screen, for example, does not provide the same level of privacy. Furthermore, network hacking can also reveal sensitive voter information.
[source: Europemedia.net]
(2003-06-04) [Europemedia.net ] By combining electronic payments and contactless chip technology, Philips and Visa plan to deliver contactless solutions that will enable payment transactions anywhere, anytime and through any device - PCs, mobiles, gaming platforms, PDAs and other handhelds.
[source: Europemedia.net daily newsletter ]
(2003-06-04) [Europemedia.net ] Microelectronic implants in customer products such as clothing from Benetton are worrying privacy activists.
Consumer products are equipped with a miniscule electronic device to help the manufacturer track the article from production to delivery at the retailers, who continue to make use of the tracking device to monitor sales, theft and inventory. This raises the issue of privacy, especially if the wearer is being tracked unwittingly. Furthermore, in the wrong hands, such a device could be used for malicious and nefarious purposes. This scenario is already becoming a reality with the introduction of affordable smart labels based on Radio Frequency Identification (RFID) technology, powered by a microchip attached to an antenna, and tracked remotely by an RFID reader. Global fashion company Benetton is implementing the world's largest smart labelling project in the fashion industry. And the Dutch data protection authority CBP, and privacy activists Bits of Freedom - like its American counterpart, Caspian (Consumers Against Supermarket Privacy Invasion And Numbering)- are starting to pay attention and ask questions. Concern has been further heightened by the announcement of the possible deployment of microelectronic chips in euro bills for fighting currency counterfeiting and fraud.
[source: Europemedia.net daily newsletter]
(2003-05-30) [Europemedia.net] The Physical and Electronic Laboratory of the Dutch institute for applied scientific research, TNO, is working on an intelligent surveillance camera system that can be deployed to recognise a security situation and take necessary action. A computer attached to a video camera can be programmed to analyse incoming images from the camera, and recognise security situations (like unexpected human presence or movement in a restricted area) that have been predefined.
The computer can take subsequent action, such as raise an alarm, or send a video clip to a security guard's mobile phone or computer screen in the incident room. Such a system removes (or reduces) the need to watch a security monitor constantly, and could reduce the number of dedicated security personnel. There are many other uses for such a system, monitoring a factory's production line for mishaps like jams or broken components, for example. The TNO lab is also working on an improved video camera, which will capture more, sharper details, making recognition and identification easier.
[source: Europemedia.net daily newsletter]
(2003-05-23) [EPIC] Pursuant to the Homeland Security Act of 2002 the Department of Homeland Security will introduce the US-VISIT (United States Visitor and Immigrant Status Indicator Technology) program by the end of 2004. The program collects, maintains and shares information, including biometric identifiers on foreign nationals. The system is designed to scan travel documents, take fingerprints and pictures of foreign nationals to check them against government databases. Other biometric identifiers, such as facial recognition and iris scan, are likely to be introduced by 2005.
Citizens of nations that participate in the Visa Waiver Program will be asked either to show a national passport that contains biometric data (fingerprint) or they will be excluded from the waiver program and have to apply for visa. The database that will be created under the US-VISIT program will store all data for an unspecified length of time and will be shared across all law enforcement agencies. U.S. VISIT Program Fact Sheet: http://www.dhs.gov/dhspublic/display?content=736
(2003-05-23) [EPIC] A computer researcher in Pakistan found a new flaw in Microsoft Passport that could expose personal information, including credit card numbers, for 200 million Internet users. In July and August 2001, EPIC and a coalition of consumer advocacy groups filed detailed complaints with the Federal Trade Commission (FTC) concerning the privacy risks associated with the Passport identification and authentication system. The FTC found that Microsoft's representations about Passport constituted unfair and deceptive trade practices and settled the action against Microsoft. The agreement requires that Microsoft establish a comprehensive information security program for Passport, and that it must not misrepresent its practices of information collection and usage.
EPIC's Passport Page: http://www.epic.org/privacy/consumer/microsoft/passport.html
(2003-05-23) [EPIC] On May 14, the Federal Trade Commission (FTC) explored "Technologies for Protecting Personal Information: The Consumer Experience" as part of a public workshop on role of technology for consumer privacy protection.
During the workshop, the FTC considered consumer tools for managing the collection and use of personal information. EPIC commented that the starting point for such a discussion is a clear understanding of what is meant by privacy enhancing technologies (PETs). PETs are technologies or tools that eliminate or minimize the collection of personally identifiable information. Individuals commonly use PETs in the physical world. Cash, for instance, enables us to purchase items and services without transferring any personally identifiable information. Digital cash could function in a similar way. After providing a number of examples of tools that genuinely advance privacy, EPIC noted several common characteristics to them. For example, all genuine PETs: * limit the collection of personally identifiable information; * enable commerce and communication; * do not facilitate the collection of personal information; * do not force Internet users to trade privacy for convenience; and * do not treat privacy as a business commodity. These are all desirable characteristics that genuinely advance privacy and promote transactional activity in the online environment. For more information on the workshop, see: http://www.ftc.gov/bcp/workshops/technology/index.html
(2003-05-23) [EPIC] On May 20, the Pentagon's Defense Advanced Research Projects Agency (DARPA) submitted its congressionally-mandated report on the Total Information Awareness Program (TIA), now re-named the "Terrorism" Information Awareness Program. The name change, according to DARPA, was necessary because the original name "created in some minds the impression that TIA was a system to be used for developing dossiers on U.S. citizens."
Congress required DARPA to provide responses to five questions.
First, a detailed accounting of the funds, proposed expenditure plans, and target dates for deployment; second, an analysis discussing the likely efficacy of the surveillance program; third, an analysis of the likely impact on privacy and civil liberties; fourth, an accounting of the current laws that would govern information being sought by TIA and any modifications to the laws that TIA might require; and finally, Congress asked for recommendations, endorsed by the Attorney General, for practices, procedures, and regulations to eliminate or minimize adverse effects on privacy and other civil liberties.
(2003-05-21) [Europemedia.net] The experimental m-ticketing project launched by Dutch public transport company, NoordNed, in September 2002 has proved such a success, the company has turned into a standard service.
The transit service, which serves northern towns and cities, started out offering its bus and train passengers travelling between Leeuwarden and Groningen, or Stavoren and Harlingen, the choice (and the hassle) of purchasing a printed ticket, or ordering one beforehand through the internet or by calling a special telephone number.
Passengers who order an m-ticket receive it on the day of travel on their mobile phone in the form of a number code in an SMS (short message service) message.
Conductors are equipped with special handheld computers for validating m-tickets.
Of the several hundred passengers who participated in the pilot, 75 per cent responded enthusiastically to m-ticketing (of which 19 per cent expressed total satisfaction), while the remaining 25 per cent said they still preferred the traditional paper ticket.
NoordNed is now planning to extend its m-ticketing service to other train and bus routes.
Dutch Railways, which do not have any m-ticketing plans of their own, is still on track to introduce next year a form of e-ticketing (already being tested on the Rotterdam metro) using a chipcard, in conjunction with pre- and post-paid forms of payment.
[source: Europemedia.net]
(2003-05-23) [Europemedia.net] The Ukrainian parliament has passed a law that legalises electronic documents and e-signatures. With the passage of the law, Ukrainian companies are now able to sign digital agreements and send them by e-mail. Businesses are responsible for security measures they apply using their e-documents.
While companies and individuals are now able to sign e-papers electronically, inheritance and adoption documents are now required to be drafted only on paper.
The law also prescribes the creation of a series of institutions to monitor and control e-signature practice in the country, in particular, the security key certification centre.
[source: Europemedia.net]
(2003-05-19) [Guardian Unlimited] Pentagon anti-terror surveillance system hopes to identify people by the way they walk
Watch your step! The Pentagon is developing a radar-based device that can identify people by the way they walk, for use in a new antiterrorist surveillance system. Operating on the theory that an individual's walk is as unique as a signature, the Pentagon has financed a research project at the Georgia Institute of Technology that has been 80 to 95 percent successful in identifying people.
[source: Guardian Unlimited]
(2003-05-23) [EuropeMedia.net] The electronic-signature bill has finally become law in the Netherlands, placing the digital signature on an equal legal footing with its old-fashioned, handwritten equivalent. But how useful is it in practice?
Not to be confused with scanned-in copy of an ink-on-paper signature, an electronic signature uses cryptography and information technology (IT) to uniquely identify the sender of an electronic message or document, guaranteeing that senders of such messages really are who they claim to be.
But there's the rub - at least in the Netherlands. The unique identification number (the e-signature), which is linked to a particular person, has to be issued by a certification service provider (CSP), a so-called trusted third party.
Furthermore, Dutch law stipulates that the e-signature is only valid if it is stored on a chipcard, which subsequently handles the authentication, encryption and insertion processes.
PinkRoccade, an ICT-services company and currently the only Dutch authorised CSP, puts the cost of the chipcard at over E100, and that does not include the price of a chipcard reader. More importantly, asks this CSP, who will absorb these costs?
To aggravate matters even further, the Dutch authorities are waiting for the private sector (presumably) to drum up enough critical mass before they themselves will consider allowing the use of e-signatures when, for example, requesting a passport or other legal documents.
In the meantime, another Dutch ICT company has come up with a novel digital-signature solution for just E30 a year.
It uses computer software to create an e-signature, which is subsequently stored on the user's computer and deployed, for example, in e-mail for validating addresses of incoming mail (free e-mail addresses, like Microsoft's Hotmail, are not accepted).
This solution also allows its licence to be shared with the holder's family and friends, thus creating a secure communicating group.
All of this will lower the entry threshold of e-signature and promote its use.
[source: EuropeMedia.net]
(2003-05-23) [EuropeMedia.net] The digital signature was launched at the beginning of March this year by Denmark's biggest telecom company, TDC.
6,200 Danes chose to correct or approve their revised annual tax statements over the internet using Denmark's official Digital Signature. The Ministry of Science, Technology and Innovation, the institution responsible for the digital signature, is happy with the figures as people could just as easily have chosen to use other methods, such as the phone. It was anticipated that the revision of annual tax statements would be the process to kick start citizens' use of the signature. One in four in possession of a digital signature used it in for their annual tax statement.
[source: EuropeMedia.net]
(2003-05-22) [EuropeMedia.net] In his inaugural speech at the Catholic University of Nijmegen, Professor of Software Security and Correctness Bart Jacobs, expressed apprehension at the secrecy surrounding software and computer-system security - something which could jeopardise Dutch democracy - and called for more openness in this field.
Professor Jacobs, who has done extensive research in security software for chip-cards and whose investigation into bankcard fraud gained him his reputation, is concerned about electronic voting.
According to Dutch law, every Dutch citizen is entitled to be present during vote counting - which is not possible with electronic voting.
Moreover, hackers could quite possibly break into voting systems, causing large-scale fraud and influencing the election outcome.
This type of fraud can be prevented if scientists are given a freehand to research and investigate computer security, something Jacobs advocates.
Unfortunately, the new copyright law (still in the making) will tie researchers' hands, making uncovering or disclosure of security errors illegal in the future.
In fact, this is tantamount to government placing its fundamental responsibilities in the hands of computer systems, in which the authorities have no insight, said the Professor.
[source: EuropeMedia.net]
(2003-05-22) [EuropeMedia.net] The European Commission has proposed the creation of a 'European Network and Information Security Agency' as a tool to co-ordinate national efforts as well the work done by business and consumer associations. The agency work will be based on spontaneous actions, because, as Commissioner Liikanen said, 'This does not give us any power to impose cooperation'. It is expected that, when realising that it is in the best interest of all, industries and national agencies come forward with information to quickly devise effective response to a cyber-attacks.
Another aspect in which the agency work can be really useful is in data privacy protection. Last week, for instance, several organisations and consumers have expressed their fears of possible violation of EU privacy laws through an agreement with the US government in which airlines passenger information will have to be provided in order to check whether any person has a criminal records or links with terrorist organizations.
However, whether the agency would improve data privacy protection remains to be seen, some experts have warned. For instance, John Russell, CEO of Weber Shandwick Adamson, has warned that this can be a 'double edge', as when you have a highly sophisticated system, a potential threat to consumer over their data may arise. Thus, it is important that the agency keeps its procedures and recommendations as simple as possible.
[source: EuropeMedia.net]
(2003-05-22) [EDRI] The US puts pressure on airlines to give full access to their databases or else risk loosing their landing rights in the US. Dutch airline KLM admitted to have opened their passenger databases to American law enforcement officers. Airlines SAS and Finnair had not yet succumbed to American pressure, and refuse to open their databases to US Customs.
[source: EDRI-gram, Number 9, 21 May 2003]
(2003-05-22) [EDRI] Police and other officials in the UK are investigating a 100 million phone records per year. The number is based on estimates supplied by the Home Office, ministerial statements, legal experts, the communications industry and members of parliament.
This mass of seized information comprises perhaps a billion individual items of data, ranging from credit card numbers to dialed numbers. Combined, this extraordinary array of data creates a comprehensive dossier on the contacts, friendships, interests, transactions, movements and personal information on almost everyone in the UK. A single customer file can involve thousands of items. BT stores records for up to seven years and these are sent automatically on request to government agencies without the need for human intervention. Mobile phone providers - 02 in particular - are able to provide authorities with information on their customers' geographic movements (while using their phone) going back months and sometimes years.
This 'communications data' can include all the calls made and received, who a user is in contact with, the geographic location of mobile phones, the emails sent and received, websites that have been visited, television programs watched, personal financial data and other personal information.
[source: EDRI-gram, Number 9, 21 May 2003]
(2003-05-22) [EDRI] Last month, during a congress on supermarket logistics, German supermarket Metro AG announced the introduction of RFIDs to boost store efficiency and eliminate long checkout queues. The announcement comes at a time of heightened public awareness of the negative privacy-implications of this new track & trace technology. In March, clothing designer Benetton announced plans to weave radio frequency ID chips into its garments to track its clothes worldwide. After massive protests the plans were postponed and Benetton made it clear that they will first do more research on the use of RFID technology for its garments including an assessment of the related privacy-effects.
RFID-tags are becoming smaller and cheaper everyday. In general the tags are passive. That means they don't have a power supply, and can't transmit any information themselves. They receive the energy they need to transmit the stored information from the readers which receive the information. The drawback of this technology is that this small amount of energy is not enough to perform encryption algorithms or any kind of access control mechanisms. So the information stored on the tag is normally readable to any reader using the same frequency as the tag (usually 13,56 MHz).The main privacy-concern about the tags is that individual consumption-patterns can be tracked and traced by any outsider with a reader. The only possibility to protect your privacy would be to remove or destroy the smart tags. A difficult task if the tag is invisibly small and woven into the garment or vulcanized into the soles of shoes.
In the last few years an increasing number of prototypes of RFID-technology were tested in real world situations. Beginning of 2003 Gillette announced the order of 500 million RFID-tags with the intent to attach them to products such as razors and razor blades. In combination with smart shelves they will be used to track inventory and send managers automatic alerts when stocks are low. Just a few days later, on 14 January 2003 Michelin announced that they are also introducing Radio Frequency Tire Identification Technology. Finally, many public libraries in the world have started using RFIDs for the identification and handling of books. Amongst them the newly built public library in Vienna, Austria.
Consumer groups and privacy advocates wish that RFID are either removed of disabled after purchasing a product and that a label will notify consumers that a product has an RFID embedded. Such ground rules can prevent RFIDs from becoming a tracking device instead of a logistical tool.
[source: EDRI-gram, Number 9, 21 May 2003]
(2003-05-14) [EuropeMedia.net] Viewers sending in SMS-messages to participate in a TV-debate on the Norwegian Broadcasting Corporation (NRK) will automatically have their location revealed on a map on screen, together with their opinion, thanks to GSM-based position technology.
According to NRK, this is the first time a service like this has been introduced on television. The project will be carried out as a four-week test on NRK's flagship discussion and debate programme Standpunkt. Since last autumn, viewers have been invited to discuss the topics of the TV-programme on a teletext page. Their opinions have not, however, been shown on screen until now. Now when their message is shown on TV, so will be their location on a map of Norway.
[source: EuropeMedia.net]
(2003-05-08) [EuropeMedia.net] Cambridge, England-based mobile internet solutions provider Bango.net has launched the Bango Fingerprint, which allows content providers to deliver personalised revenue generating services to mobile phone users. The Bango Fingerprint provides a way to uniquely identify mobile users visiting a mobile site. Content providers can improve the user experience by recognising returning users and providing them more relevant content or services. The unique identity can be used to authenticate users and maintain important facilities such as shopping baskets.
"The addition of cookies to Web browsers enabled sites to provide better user experiences, reducing the need for logins and enabling sites to be tailored to users", said Ray Anderson, CEO of Bango.net. "The Bango Fingerprint brings these benefits to mobile sites, providing users with a fast track to exactly what they want. This is particularly important on a mobile as the small screen size makes navigation harder."
[source: EuropeMedia.net]
(2003-05-09) [EuropeMedia.net] Internet service and content providers appear out of touch with the payment concerns and preferences of potential customers, a perception gap that may seriously limit content sales growth, according to a new study contrasting attitudes of consumers with those of online providers from online payment service provider PaymentOne, The Online Payment Strategies and Preferences Poll.
The study makes it clear that new payment alternatives to the credit card will help drive online content sales. The study was conducted in cooperation with Javelin Strategy & Research and eContent Magazine, which surveyed more than 10,000 consumers and top marketing executives at 300 internet, content, and premium service providers.
According to the research, consumers continue to perceive serious shortcomings with today's online payment options, particularly with respect to security. In fact, when consumers who have not made online purchases were asked what would persuade them to buy online content, 53 percent cited more secure payment options. Payment security was chosen over price or product-related responses by more than a two to one margin.
[source: EuropeMedia.net]
(2003-04-15) [XML Cover Pages] The Liberty Alliance Project has published draft versions of its Phase 2 specifications and guidelines for identity-based web services.
The technical specification drafts provide three new elements to Liberty Alliance's Federated Network Identity Architecture. The Liberty Identity Federation Framework (ID-FF) version 1.2 now includes protocols for Affiliations and Anonymity. Liberty Identity Web Services Framework (ID-WSF) provides for Permissions-Based Attribute Sharing, Identity Discovery Service, Interaction Service, Security Profiles, and Extended Client Support. An initial service interface specification 'Personal Profile' is part of the Liberty Identity Service Interface Specifications (ID-SIS). "Drafts of security and privacy implementation guidelines as well as a Privacy and Security Best Practices document are also introduced with the Phase 2 draft specifications. These documents highlight global privacy laws and fair information practices, as well as provide implementation guidance for organizations using the Liberty Alliance specifications to build identity-based services. A Liberty Alliance public interoperability event being held at the RSA 2003 conference is bringing together 20 of the industry's leading hardware, software, mobile device and service companies; these companies will showcase how Liberty's Phase 1 specifications for opt-in account linking and simplified sign-on can be used today in numerous business scenarios. Liberty's specifications, which are developed collaboratively by members representing various industries and organizations across the globe, are open and free for anyone to download. The specifications support and include other open industry standards like SAML, SOAP, WAP, WS-Security and XML. This allows businesses to implement Liberty-enabled products and services confidently, knowing they will interoperate with the company's infrastructure and the infrastructure of its customers and business partners."
[source: XML Coverpages]
(2003-02-06) [XML Cover Pages] A posting from Phillip H. Griffin (OASIS XCBF TC Chair) announces that the XML Common Biometric Format specification from the XML Common Biometric Format Technical Committe Specification.
The TC has also voted to begin the CS public comment period required for to move the specification forward toward approval as an OASIS Standard. The public review period extends from January 28, 2003 through February 28, 2003. The TC has invited comment from its external liaison affiliates and other expert bodies, including X9F, ISO TC68/SC2, INCITS T4, INCITS M1, ASN.1 Consortium, ASN.1 ITU-T list, and the Biometric Consortium. "Biometrics are automated methods of recognizing a person based on physiological or behavioral characteristics. They are used to recognize the identity of an individual, or to verify a claimed identity. The XCBF specification defines cryptographic messages represented in XML markup for the secure collection, distribution, and processing, of biometric information. These messages provide the means of achieving data integrity, authentication of origin, and privacy of biometric data in XML based systems and applications. Mechanisms and techniques are described for the secure transmission, storage, and integrity and privacy protection of biometric data."
[source: XML Coverpages]
(2003-05-12) [DISA.org] Watchfire Corporation, a provider of Web site management software and services, announced today its Watchfire WebXACT, a free online service that allows users to test single pages of web content for quality, privacy and accessibility issues.
Watchfire says WebXACT checks one page of web content at a time and reports results through Web-based reports that help expose website quality, privacy and accessibility defects. By testing pages on their site with WebXACT, developers can encourage compliance with industry standards and best practices.
The WebXACT Privacy Report indicates whether or not the page may have a link to a privacy statement, identifies information collection, visitor-tracking techology like cookies and Web beacons, P3P compliance and third party links. The Quality Status Report in WebXACT explains the page's quality issues and indicates whether it has defects like broken links or anchors, warnings, or issues with the page.
More details: http://www.watchfire.com/news/releases/5-12-03.asp
[source: DISA.org]
(2003-05-07) [EuropeMedia.net] Electronic voting used for real in the UK. Government says it was a "resounding success".
Recent live trials of electronic voting in 17 councils across England were hailed a "resounding success" by the government, with early indications showing one-fifth of voters in pilot areas used new methods to cast their vote in the local elections, the Deputy Prime Minister's Office said. Initial turnout figures from councils experimenting with e-voting systems suggest the pilots were well received, but less effective at increasing participation than postal voting. Swindon Borough Council, one of the local authorities taking part in the trials, reported that 7.5 per cent of its electorate voted electronically, with nearly 6,900 citizens casting their ballot via the internet.
Interactive digital television proved to be less popular for voters in Swindon, with just 339 taking up this option, and only 163 using electronic street kiosks. Stroud District Council reported e-turnout levels exceeding 20 per cent of the total and "universal positive feedback". Elsewhere, St Albans District Council experienced some technical problems with verifying electronic votes, leading to delays in election results being announced.
The pilots represented one of the largest implementations of electronic voting technologies ever undertaken in Europe, allowing 1.4m voters the opportunity to cast their ballot electronically at polling stations, interactive kiosks, or from home via the internet, touch-tone telephone, digital TV or text message.
[source: EuropeMedia.net]
(2003-05-09) [EuropeMedia.net] London's City Airport has installed a biometric security system that uses fingerprint scanners to manage access throughout the airport, making it the first airport to build such a system in Europe. All passengers travelling to the United States will begin to be scanned by October next year. At the moment, the system is restricted to employees of the airport.
The biometric system was developed by Daon, and scans a fingerprint and employs an extraction algorithm to locate a unique pattern of connections to identify the user. The system does not store the fingerprint, out of concern for privacy, and works in concert with photo identification.
The company claims that the system falsely accepts a non-authorised person at a rate of one in 100,000, and falsely rejects authorised people at a rate of 1.5 per cent.
The implementation of the new system is a result of the demand by the new US Department of Homeland Security that all visitors to the country will have to go through two forms of biometric identification by November 2004.
[source: EuropeMedia.net]
(2003-05-09) [EuropeMedia.net] According to the BBC, American and British experts have raised doubts as to the accuracy and effectiveness of the iris scan as a means of personal identification and authentication.
More importantly, how does this affect two Dutch biometrics projects?
Iris scans are increasingly being deployed at airports to automatically identify and authenticate passengers at passport control with speed and accuracy.
Iris-scan manufacturers claim that there is a one-in-a-million chance of an identification error, reports the BBC.
However, a test done in February 2002 by the US Ministry of Defence uncovered a six per cent rate of error. It has been suggested that the size of the database to be checked against, i.e., the number of possible candidates, may affect the accuracy of such a method.
Furthermore, statistics reveal that electronic passport control in Britain using the iris scan can take longer than its manual counterpart in some cases.
In the Netherlands, Amsterdam's Schiphol Airport went live with its Privium service in October 2002, following a one-year trial and a positive evaluation by Dutch company TNO and the British National Physical Laboratory.
Privium uses iris scan technology to validate passengers, making Schiphol one of first airports worldwide to use such biometric technology for passport control.
In addition, starting in the autumn of 2004, Dutch passports will be equipped with an electronic chip containing the passport holder's biometric details.
It is not clear if the iris scan technologies and systems deployed in the tests conducted in Britain and America were similar to those in the Netherlands, or even if these tests were reasonable and extensive.
However, it does raise the question of how secure and accurate this solution really is and whether it needs further investigation.
[source: EuropeMedia.net]
(2003-05-09) [XML Cover Pages] Research at IBM's Zurich Research Laboratory has led to the publication of an Enterprise Privacy Authorization Language (EPAL) specification. EPAL is a formal language to specify fine-grained enterprise privacy policies. It concentrates on the core privacy authorization while abstracting from all deployment details such as data model or user-authentication. EPAL will be discussed at a June 2003 W3C P3P and Enterprise Privacy Policy Workshop.
[source: XML Cover Pages]
(2003-02-09) [XML Cover Pages] A call for papers has been issued for the upcoming W3C Workshop on the Long Term Future of P3P and Enterprise Privacy Languages. The Workshop is hosted by the Independent Center for Privacy Protection and will be held in Kiel, Schleswig-Holstein, Germany on June 18-20, 2003. The organizers have invited position papers that discuss technology or policy with respect to P3P, privacy metadata, and fine-grained enterprise privacy languages.
[source: XML Cover Pages]
(2003-04-20) [Lessig blog] JD Lasica has a nice pointer to a story about progress in the digital watermarking debate. He wonders about this progress because of work (in part by Ed Felten) suggesting 'that all such encryption systems can be defeated.' But there is an important distinction that this debate needs. I'm a strong supporter of flawed (in the sense of defeatable) watermarking. Here's why...
[source: Lessig blog]
(2003-04-13) [Lessig blog] Doc has a great post pushing public domain dedications of content. But on the way to his valuable recommendation, Doc writes, "I believe what Userland and the Creative Commons people have made here is, literally, a DRM - digital rights management - system, in the best possible sense of the acronym." I think it is useful and important to distinguish between DRM and DRE - digital rights management vs. digital rights expression. DRE is a technology simply (1) to express rights. The 'management' in DRM implies a technology - code - both (1) to express rights and (2) to enforce it.
[source: Lessig blog]
(2003-04-13) [Lessig blog] Doc has an interesting post about CC licenses and the public domain. As he rightly notes, we have no direct license that you can link to so as to place your material in the public domain. This is not because we wouldn't like to offer such a license. It is instead because the law does not make such simplicity possible. While for most of our history, there were a thousand ways to move creative material into the public domain, most lawyers today are puzzled about whether there is any way to move work into the public domain.
[source: Lessig blog]
(2003-02-14) [Privacy.org] After the death of Doubleclick's effort to track web surfing habits, companies have generally tried to be more careful about how they monitor users. New York Times Digital is reported to be considering a new program that would deliver "personalized" ads to surfers. While the company says it is delivering only aggregate information to advertisers, in the future it is looking at being able to give the marketer more personal or demographic information. So far, it is testing the program with three advertisers, including pharmaceutical company Nexium.
[NYTimes.com gears ads to surfers' habits CNET News, February 13, 2003 http://news.com.com/2100-1023-984575.html ]
[source: Privacy.org]
(2003-04-29) [The Observer] " .... all the pupils [in a London primary school] had been electronically finger-printed for a new library management system. The school had not asked the parents for their consent, nor were the children given an explanation of their legal rights..... [T]he fingerprinting system has been sold to a thousand British schools, resulting in the fingerprinting of as many as 200,000 children"
[John Naughton: "Privacy pinned under the thumb.", The Observer, July 28, 2003] How would you feel if your children's fingerprints were being taken at school, without your knowledge or consent, and stored on computer? You'd be outraged. It's the kind of thing that would only happen in the old Soviet Empire. Luckily we don't go in for that kind of thing over here.
Oh yeah? Privacy International, an admirable human rights organisation, recently received a complaint from the mother of an 11-year-old child attending a London primary school.
She had discovered that all the pupils had been electronically finger-printed for a new library management system. The school had not asked the parents for their consent, nor were the children given an explanation of their legal rights. .....
[source: The Observer, Sunday July 28, 2002]
(2003-04-29) [EPIC] The Organization for Security and Cooperation in Europe (OSCE) has published a booklet titled "From Quill to Cursor: Freedom of the Media in the Digital Era." This booklet comprises papers submitted for a one-day workshop on freedom of the media and the Internet held in Vienna in November. In these papers, experts from the United Nations Educational, Scientific and Cultural Organization (UNESCO) and the Council of Europe, as well as journalists and Internet service providers, explore topics such as universal access to Cyberspace, constitutional rights in the Internet age, the importance of the public domain, and censorship and intellectual property rights.
See: "From Quill to Cursor: Freedom of the Media in the Digital Era" (http://www.osce.org/documents/rfm/2003/04/41_en.pdf)
(2003-04-29) [EPIC] Documents obtained under the Freedom of Information Act (FOIA) have sparked inquiries in Mexico and other Central and South American countries regarding the sale of foreign citizens' personal information to the US government by information broker ChoicePoint. ChoicePoint sells the personal data of citizens of Mexico, Colombia, Brazil, Venezuela, Guatemala, Argentina, Costa Rica, Honduras, and Nicaragua. The information categories for these countries include national ID, voting registers, vehicle registration, aircraft registration, and telephone numbers. Apparently ChoicePoint began to accumulate this information in 2000 through relationships with foreign governments and purchases from foreign data vendors.
Latin American privacy experts claim that the acquisition of the information by ChoicePoint may have been illegal, and that the sale infringes on national sovereignty. Costa Rican, Nicaraguan, and Mexican authorities have decided to investigate the matter, and the Mexican Federal Electoral Institute will file a criminal complaint against persons who have sold voter data to ChoicePoint.
(2003-04-29) [EPIC] In a complaint filed with the Federal Trade Commission (FTC), EPIC and 11 consumer protection groups urged the agency to investigate Amazon.com for violations of the Children's Online Privacy Protection Act (COPPA). The coalition of groups joining the complaint includes Commercial Alert, the Center for Media Education, and the Consumer Federation of America.
The COPPA is a 1998 Federal law that seeks to protect individuals under the age of 13 from online privacy violations. Commercial Web sites that are directed towards children, or those that have actual knowledge that they collect children's personal information, must comply with the COPPA. Such sites must provide a parental privacy notice, a mechanism to obtain verifiable parental consent for the collection of children's information, a system for parental review and deletion of children's information, and security and confidentiality requirements.
The complaint details how Amazon.com is operating a commercial Web site directed at children, collecting children's personal information, and disclosing that data. To support the finding that Amazon.com directs its "Toy Store" page to children, the complaint illustrates how the company employs child models, cartoon characters, and playful fonts to direct children to purchase toys on the site. Individuals who visit "ToysRUs.com" or "Imaginarium.com" are redirected to the Amazon.com "Toy Store" page. Furthermore, it appears that numerous children have registered on the Amazon.com Web site. The EPIC complaint notes that children as young as 7 have registered, and in some cases, have publicly listed their full names, postal addresses, and e-mail addresses.
(2003-04-29) [EDRI] Early in April, the Dutch Lower House silently approved of a change of the Telecommunication Law that lowers access barriers to personal data substantially. All 40.000 policemen will have the right to demand the name and address data of all telephony and internet subscribers. There is no need for the user to be a suspect, requests can be made in the general context of investigating serious crime.
Currently, access to the central database with the data of telephony subscribers is limited to the 500 public prosecutors (and the secret service). Internet providers in the Netherlands are not yet obliged to store the Name Address data of their users in this central database, but might become very eager to do so in the future, when faced with countless requests from police officers with little or no knowledge of internet.
[source: EDRI-gram, Number 7, 23 April 2003]
(2003-04-29) [EDRI] The controversy in the UK around the introduction of an 'entitlement card' was stirred up again last week by the Home Office (the Ministry of Internal Affairs for England and Wales). The Sunday Telegraph reported that Home Secretary David Blunkett (the minister) intends to charge people 35 - 43 euros for the cards. Thus he hopes to win over the Treasury department who balked at the estimated cost of 2.3 billion euros. Blunkett seems convinced that people's concerns over terrorism and immigration would mean that they would not object to the cost of the card.
Another issue raised in the consultation was the type of identity verification that would be used on the card. The Home office proposed the use of iris scans while opponents believed that such a technology was not sufficiently developed for large scale implementation and that people would resist the idea of having their eyes scanned. Despite these concerns iris recognition is still being considered.
Identity cards are seen as a highly contentious issue within the UK where no scheme has existed since 1957. A conservative Government evaluated a modern scheme in the mid 1990s but was unable to garner sufficient public support as people's privacy concerns outweighed the perceived advantages of an identity card. Following the events of 11 September Blunkett revived the initiative to combat terrorism, illegal immigration, benefit fraud and identity theft.
[source: EDRI-gram, Number 7, 23 April 2003]
(2003-04-29) [EDRI] According to research by World IT Lawyers, a majority of European websites violates EU directives protecting on-line consumers. More than half of the researched websites lacks essential information about the on-line buying procedure or the consumer right to cancel an order within 7 days. On top of that, almost half of the websites of companies and institutions lack a privacy policy. The research compares websites from France, Germany, the Netherlands, Portugal, Spain, Switzerland and the United Kingdom.
Websites within the EU should comply with several EU directives, such as the Privacy Directives from 1995 and 1997, the E-Commerce Directive and the Directive on long-distance selling. 60 percent of the websites don't explain the exact buying procedure to consumers. An equal majority doesn't explain the right to cancel an order within 7 days, no matter what the reason is. Only in Great Britain a majority of companies complies with the obligation to explain the procedure. But less than 50 percent of these companies point to the right to cancel an order. In Switzerland, Portugal and the Netherlands, more than two-thirds of websites omit to tell about this crucial consumer right.
[source: EDRI-gram, Number 7, 23 April 2003]
(2003-04-16) [EPIC] The WHOIS database was originally intended to allow network admini- strators to access domain name registrants' information in order to easily find and fix problems and maintain the stability of the Internet. Currently, it also exposes that personally identifiable information to spammers, stalkers, criminal investigators, and copyright enforcers. On February 6, the WHOIS Task Force of the Generic Names Supporting Organization posted its "Final Report on WHOIS Accuracy and Bulk Access" for comments and for consideration by the Generic Names Supporting Organization Council. The report included four policies on accuracy and bulk access of WHOIS data along with other recommendations. These policies have been criticized as being deficient because they fail to establish adequate privacy safeguards.
(see EPIC Alert 9.24 and 10.04).
The Internet Corporation for Assigned Names and Numbers (ICANN) voted on and adopted the WHOIS Task Force's policies on accuracy and bulk access during its March 23-27 meeting in Rio de Janeiro, Brazil. At the meeting, ICANN also directed its President to appoint a President's Standing Committee on Privacy to monitor the implications of existing and proposed ICANN policies on the handling of personal data. In the meantime, ICANN's Generic Names Supporting Organization initiated a policy development process that may lead to the creation of a new privacy task force that would serve to adequately address WHOIS-related privacy issues.
(2003-04-16) [EPIC] EPIC recently obtained agency documents through the Freedom of Information Act (FOIA) that raise important questions about how the Transportation Security Administration (TSA) operates its "No-Fly" watchlist. The documents preview several potential problems with due process that may result from the proposed passenger profiling system, CAPPS-II (the Enhanced Computer Assisted Passenger Pre-screening System), including numerous complaints from passengers who have no idea why their names are on a list, or how to be removed. A few heavily redacted agency memos concerning the operation of the watchlist were also released in part.
The documents show that the TSA administers two lists: a "no-fly" list and a "selectee" list, which requires passengers to go through additional security measures. Names are provided to air carriers through Security Directives or Emergency Amendments, and are stored in their computer systems so that an individual whose name matches a name on the list can be flagged when getting a boarding pass. A "no-fly" match requires the agent to call a law enforcement officer to detain and question the passenger. A "selectee" match causes an "S" or special mark to be printed on the boarding pass, and the person receives additional screening at security. The TSA has withheld the number of names on each of the lists.
(2003-04-16) [EDRI] Telecommunication companies in Austria have won an important court case against the federal government. Though in general the wiretapping provisions in the new Telecommunications Law were not deemed unconstitutional, from 2004 onwards, government will have to reimburse providers for the costs of procuring and maintaining surveillance equipment.
[source: EDRI-gram, Number 6, 9 April 2003]
(2003-04-16) [EDRI] Since 1 April, new legislation went into force that obliges Swiss Internet Service Providers (ISPs) to keep a 6 month email log file. That means they will have to store time, size and addresses of all emails sent by their customers (the SMTP envelope data). The authorities will be able to access these stored data with a search warrant only. Access is limited to a number of serious offences such as paedophilia and drug trafficking.
There is no general obligation to store the content of all emails, but providers can be ordered to keep the specific correspondence of a suspect (preservation) and forward it to a special new crime-investigating unit.
[source: EDRI-gram, Number 6, 9 April 2003]
(2003-04-16) [Digital Rights, DK] Pär Ström, Sweden, has proposed a set of six areas of concern for privacy in the context of surveillance.
These concerns relate to a message distributed on a mailing list.
"I am doing some thinking in the area of the risks in terms of privacy and human rights in the surveillance society we might get as a consequence of the digital revolution."
See text: http://www.sics.se/~olleo/SAITS/resources/external/digitalrights-030416.txt ( source: mailing list for "privacy and surveillance", Digital Rights, DK, April 16, 2003 )
(2003-04-16) [BigBrotherAwards] The internationally accepted Danish Big Brother Awards was revealed for the second time in Denmark, on January 21st 2003 in Copenhagen. Awards in a number of categories was issued.
One of them was Big Brother Award 2002 for the state - The Danish Data Protection Agency receives The Orwell Award Motivation, for being an institution not having protected citizens from data linking based on National Id.
Since the implementation of the Danish National Id system (CPR) more than 30 years ago, we have seen a slow, but constant linking of public data files and massive function creep based on the National Id.
As an institution, this agency legitimate the lack of understanding that personal data are property of the citizens, not the state, and must not be subject to extensive and arbitrary linking between different organisations. This linking of personal data collected with different purposes as a result often creates a group of "suspects", who judicially don't have a chance to defend themselves - they may just have to accept the fact that they are subject to data surveillance at all times, whether justified or not.
As an example the agency did not react clearly to data linking related to exiled immigrants, which again was part of a general linking project in local government.
(2003-03-31) [EDRI] During the 25 March public hearing in the European parliament the Commission argued that it had no choice but to accept the U.S. demands for passenger data. Threats to fine European airlines or even halt landing rights were taken very seriously by the Commission.
But many participants were not satisfied with the explanation that the Commission had been blackmailed and couldn't do anything about it. They argued that the transfer of Passenger Name Record (PNR) data has no legal basis and is a direct violation of the EU data protection directive.
[source: EDRI-gram, Number 5, 27 March 2003]
(2003-03-31) [EDRI] The French Constitutional Council recently validated the Internal Safety Law ('Loi sur la securite interieure'), adopted by the Parliament on February 13. This decision has been commented by the Human Rights League - LDH, the French member of the International Human Rights Federation - as a 'step backwards for the rule of law'.
Among the many provisions infringing privacy and other human rights, one authorizes the immediate access by Law Enforcement Authorities to the computer data of Telecommunications Operators, including Internet Access Providers, as well as of almost any public or private institute, organization or company. The second important measure authorizes the searching without warrant of any information system, provided that its data are accessible through the network from a computer being searched with a warrant (e.g. all computers in a P2P network may now be searched on the basis of a single warrant for one of them). If the data are stored in a computer located in a foreign country, then their access remains subject to applicable international agreements.
[source: EDRI-gram, Number 5, 27 March 2003]
(2003-03-31) [EDRI] Telecommunication providers in Poland have received an order from the Ministry of Infrastructure to install email wiretapping equipment.
This was announced in an item on Warsaw Polish Radio 1 on 19 March 2002,
In the item counsellor Daniel Wieszczycki stated the order is contrary to the Constitutional right of secrecy of correspondence. In pursuance of the order, the operators are obliged to connect their lines to authorized surveillance institutions. These are the Internal Security Agency, the Intelligence Agency, the Military Gendarmerie, the Border Guard, the police and the military intelligenc
[source: EDRI-gram, Number 5, 27 March 2003]
(2003-03-31) [EDRI] A proposal to modify the Spanish telecommunication law threatens the free use of cryptography.
The current General Law of Telecommunications (Ley General de Telecomunicaciones (LGT) already puts some restrictions on the use of cryptography.
The modification proposal would create an obligation for every user to hand over their encryption key and password when asked by any public authority.
[source: EDRI-gram, Number 5, 27 March 2003]
(2003-03-31) [EDRI] Yesterday, Privacy International announced the winners of the 5th Annual UK 'Big Brother' awards to the government and private sector organisations that have done the most to invade personal privacy in Britain.
Winner of the award for worst public servant is London Mayor Ken Livingstone, for his efforts in transport surveillance. Prime Minister Tony Blair received the Lifetime Menace Award. Blair earned the award partly because of his plans to force phone companies and Internet service providers to retain user data for 12 months as part of the country's stepped-up war on terrorism and crime.
[source: EDRI-gram, Number 5, 27 March 2003]
(2003-03-29) [EPIC] On March 25, EPIC Policy Counsel Cedric Laurant testified at a hearing on "Data Protection Since 11 September 2001: What Strategy for Europe?" The public seminar, organized by the European Parliament's Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, discussed emerging threats to data protection in both the private and the public sectors in the European Union.
EPIC's testimony focused on the implications of new U.S. passenger profiling schemes for the privacy interests of European travelers.
EPIC urged the European Parliament to keep close watch on the data-mining and profiling schemes as they move forward to ensure that the legal rights of European citizens are not abridged.
(2003-03-29) [EPIC] Data profiling companies have begun an anti-privacy campaign with the goal of preventing state legislators from passing strong privacy laws.
The data profiling companies are seeking extension of federal preemption in the Fair Credit Reporting Act (FCRA). If preemption is extended or expanded, it will prevent states from passing consumer-friendly privacy laws. It may also prevent state courts from developing new protections for personal data.
(2003-03-29) [EPIC] The US Senate Commerce Committee approved an amendment on March 13 that would begin to open the controversial Enhanced Computer Assisted Passenger Pre-Screening System (CAPPS-II) to Congressional scrutiny. The Transportation Security Administration (TSA)'s proposed passenger profiling system aims to conduct background risk assessments on all air travelers before they fly.
The profiling system will rely on experimental data-mining technology to sift through data from various commercial and government databases, assigning different "risk scores" to passengers. Based on these scores, passengers will either be denied boarding, subjected to a more intrusive physical search, or passed through normal screening.
TSA is testing CAPPS-II with Delta Airlines in three mid-size airports this spring and plans to implement the profiling system throughout the country by the summer of 2004.
The Senate Committee's amendment would require TSA to produce a written report on the impact of the profiling system on the privacy and civil liberties of United States citizens.
(2003-03-29) [EPIC] A new report from the National Research Council examines the privacy implications of systems designed for authentication of identity. The report, titled "Who Goes There? Authentication Through the Lens of Privacy", looks at a variety of legal, policy, and technical considerations and concludes that privacy standards should be established.
(2003-03-28) [CNet] Analysis of e-mail traffic enables detection of informal social communities.
Researchers at HP has developed a method that analyses e-mail traffic, and can detect formal and informal communities within an organization, as well as their leaders within a matter of hours. The only information used was e-mail log data, the To: and From: fields. This use of this method is potentially threatening to privacy, though the stated aim was to detect informal groups within an organisation so that support for such informal groups could be created at an organisational level.
[source: CNet]
(2003-03-28) [NYT] In-Q-Tel CEO warns against large databases with information about personal activities.
In-Q-Tel CEO Gilman Louie states a proposed large database on citizens' activities, that government officials would have unrestricted access to, is a "very dangerous" idea. Data mining in this database, would collate data on Americans and sort it by name, purchasing history, or travel itinerary in order to find suspicious patterns; anyone who is profiled as a suspect would be placed on a watch list. This approach could destabilize civilian liberties.
[source: New York Times]
(2003-03-28) [PCWorld] Privacy groups react on CAPPS II, a passenger prescreening program.
An alliance of privacy groups fired off a letter advising Congress to halt the second version of the Computer Assisted Passenger Prescreening System (CAPPS II) program until its effectiveness and privacy implications are thoroughly researched.
[source: PCWorld]
(2003-03-20) [New.Architect] Phil Zimmermann won the crypto war. Whither privacy? A short Interview.
Phil Zimmermann created Pretty Good Privacy (PGP) in 1991, which subsequently earned him a criminal investigation for violating U.S. export restrictions and a buyout from Network Associates. In 2002, NAI sold PGP back to PGP Corp., where Zimmermann now consults. A short interview with Phil can be found at http://www.newarchitectmag.com/documents/s=2415/na0103r/
[source: New.Architect]
(2003-03-20) [PI] Privacy International (PI) is a human rights group formed in 1990 as a watchdog on surveillance by governments and corporations.
PI is based in London, England, and has an office in Washington, D.C. PI has conducted campaigns throughout the world on issues ranging from wiretapping and national security, to ID cards, video surveillance, data matching, police information systems, medical privacy, and freedom of information and expression. See: http://www.privacyinternational.org/
(2003-03-20) [PI] The Home Office released two consultation papers on Access to Communications Data and a Voluntary Code of Practice on Data Retention on 11 March.
The Access consultation represents a backing down from the Home Office proposals last June that radically expanded the number of government bodies whou would access records. However, the Data Retention consultation, which would have ISPs tracking their users, is generating controversy. See the PI UK Wiretap page for background information. (BBC, 11 March 2003, http://news.bbc.co.uk/1/hi/world/europe/2864063.stm ).
[source: privacyInternational.org]
(2003-03-20) [PI] Privacy International has launched a competition to discover the world's most pointless, intrusive and self-serving security initiatives.
The "Stupid Security" Award will highlight measures which are outrageously pointless and illusory, and which cause unnecessary distress and annoyance. Nominations are open to everyone. The winners will be announced in New York on April 3rd. Annoucement and Guidelines found at http://www.privacyinternational.org/activities/stupidsecurity/ .
[source: privacyInternational.org]
(2003-03-18) [EPIC] EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.
EPIC publishes an award-winning e-mail and online newsletter on civil liberties in the information age -- the EPIC Alert. EPIC also publishes reports and even books about privacy, open government, free speech, and other important topics related to civil liberties. See: http://www.epic.org/
(2003-03-18) [EPIC] EPIC has obtained contractor documents for the Total Information Awareness program following a Freedom of Information Act lawsuit against the Defense Department. The main focus of the Total Information Awareness (data mining) program is to build "usable tools, rather than demonstrations."
EPIC has obtained contractor documents for the Total Information Awareness program following a Freedom of Information Act lawsuit against the Defense Department. EPIC anticipates the receipt of further documents covering various aspects of DARPA's data mining activities and the Total Information Awareness program over the next few months. EPIC will make these documents available as they are received. According to the Defense Department notice, the main focus of the Total Information Awareness (data mining) program is to build "usable tools, rather than demonstrations." The notice states that "[t]he idea is to enable our partners in the intelligence community to evaluate new technology and pick it up for experimental use and transition, as appropriate." The contacts are from three branches of the Defense Department: the Air Force Research Laboratory, the Navy's Space and Naval Warfare Systems (SPAWAR), and DARPA Information Awareness Office itself. The Navy's SPAWAR program appears interested in developing large-scale repository and data mining capabilities. It is not clear how these technologies might be useful for the Air Force and Navy in their respective "battlespaces", or why they are funding the development of domestic surveillance infrastructure.
(2003-03-18) [EPIC] The U.S. Court of Appeals for the Third Circuit has, for the second time, ruled that the Child Online Protection Act (COPA) is unconstitutional. In a decision issued on March 6, the court found that the law violates the First Amendment because it improperly restricts access to a substantial amount of online speech that is lawful for adults to receive. COPA, signed into law in October 1998, makes it a federal crime to use the Internet to communicate "for commercial purposes" material considered "harmful to minors", with penalties of up to $150,000 for each day of violation and up to six months in prison. Civil liberties groups, including the American Civil Liberties Union and EPIC, challenged the law shortly after its passage, arguing that COPA violates the First Amendment.
Compliance with COPA would require Web sites to obtain identification and age verification from visitors, a feature of the law that EPIC has argued threatens online privacy and anonymity. In its new decision, the appeals court specifically addressed this issue: "We agree . . . that COPA will likely deter many adults from accessing restricted content, because many Web users are simply unwilling to provide identification information in order to gain access to content, especially where the information they wish to access is sensitive or controversial. People may fear to transmit their personal information, and may also fear that their personal, identifying information will be collected and stored in the records of various Web sites or providers of adult identification numbers. The Supreme Court has disapproved of content-based restrictions that require recipients to identify themselves affirmatively before being granted access to disfavored speech, because such restrictions can have an impermissible chilling effect on those would-be recipients."
(2003-03-18) [EPIC] Due to an interim arrangement enacted on March 5 between the European Commission and the United States Customs Department, European airlines are now required to provide U.S. Customs with full access to their passenger data. As outlined in the EU-U.S. joint statement of February 17-18, U.S. Customs will now be able to request all passenger data stored by European airlines.
The transfer of data is not restricted to name, address or flight number; it also covers all other data collected about passengers, such as credit card number, etc. This includes sensitive and potentially stigmatic data, such as meal choice, which might reveal medical problems, ethnicity, or religion, for example. The U.S. is even considering requiring the collection of biometric data from European citizens who participate in the Visa Waiver program (which applies to most European citizens, providing them with a visa issued by U.S. Customs when they first enter a U.S. airport). Customs could therefore potentially require European citizens to provide their fingerprints in order to enter the United States. In exchange for the United States' promise to safeguard the privacy of European Citizens, the European Commission urged data protection authorities of European member states not to intervene when European airlines provide US Customs with the requested data. EPIC argues that these requests violate European privacy laws. Since the requests involve systematic collection of data from all passengers, they are excessive. Collected data might be forwarded to any federal or local law enforcement agency for several different purposes, not restricted to combating terrorism. The United States' promises of safeguarding the data are vague, and therefore weak. There is no supervisory body to oversee these safeguards, and European airline companies will be forced to act like law enforcement agencies. Further, even the legal basis for this arrangement is not backed by European Law.
(2003-03-18) [EPIC] On February 28, EPIC submitted comments on the Organization for the Advancement of Structured Information Standards (OASIS) XML Common Biometric Format (XCBF) 1.0 Committee Specification. Biometrics entail automated methods of recognizing a person based on physiological or behavioral characteristics and measurements, and are used to recognize the identity of an individual or to verify a claimed identity. EPIC's comments stated that while the specification may respect security standards, it cannot be fairly or accurately described as respecting privacy.
EPIC underscored that techniques that enable the collection of personally identifiable information in the absence of enforceable legal rights or technical safeguards necessarily create a new risk that personal information will be misused. EPIC's comments stated that while the specification may respect security standards, it cannot be fairly or accurately described as respecting privacy. Because standardization of biometric data in machine-readable format makes massive and efficient automated data aggregation techniques much simpler, EPIC recommended further research into implementing privacy safeguards within the protocol.
(2003-03-18) [EPIC] EPIC recently submitted comments to the National Highway Traffic Safety Administration (NHTSA) regarding their role in the development and installation of Event Data Recorders (EDRs), or "black boxes", in motor vehicles. Event data recorders (EDRs) are electronic "black boxes" that collect and store information about the operation of a motor vehicle. The data recorded might include the date, time, velocity, direction, number of occupants, airbag data, and seat belt use. The devices might even include location data, which raises additional significant privacy issues.
In addition, there are open questions about how the data can be accessed, recorded and transmitted. There are several different types of EDRs in the market, ranging from the Vetronix system, which is installed in cars produced by General Motors, to the more elaborate MacBox system currently being tested by the Drive Atlanta project at the Georgia Institute of Technology. Each type of device collects different kinds of data for different purposes. Advocates of EDR technology suggest that the information might be useful in accident reconstruction and developing safer vehicles through "real world" testing. Insurance companies want the data to settle claims expeditiously. These companies, along with car rental agencies and others, have also demonstrated interest in obtaining this data in support of efforts to control driving behavior through surveillance.
(2003-03-14) [EDRI] European Digital Rights is a European association of privacy and civil rights groups. Since its foundation in June 2002, EDRi is made up out of 10 privacy and civil rights organizations from 7 different countries in the European Union. Members of EDRi have joined forces to defend civil rights in the information society.
The need for cooperation among European organizations is increasing as more regulation for the internet, privacy and interception is originating from the European Union. Especially since 11 September, new regulation has been passed that demands unified action from civil rights defenders. Some examples of regulations and developments that have the attention of European Digital Rights are data retention requirements, spam, telecommunications interception, the cyber-crime treaty, initiatives for rating and filtering of internet content, notice and take down procedures of websites and fair use restrictions. Since January 2003, EDRi produces a bi-weekly newsletter about digital civil rights in Europe. EDRi has an active interest in developments regarding these subjects in the EU accession countries; with the publication members want to share knowledge and raise awareness on these issues throughout the continent. See: http://www.edri.org/
(2003-03-14) [EDRI] Pre-registration deadline conference CCTV and Social Control. The Centre for criminological research of the University of Sheffield in conjunction with The Journal - Surveillance and Society will be organising a two day conference in Sheffield - UK on the politics and practice of videosurveillance. The conference will take place 8 and 9 January 2004, but everybody is kindly requested to express interest this week, either presenting a paper or just attending.
Pre-registration and announcement of papers email to c.norris@sheffield.ac.uk
[source: EDRI-gram, Number 4, 12 March 2003]
(2003-03-14) [EDRI] 'Turkey, showing the symptoms of a developing country, has not yet established the jurisprudence necessary for the Internet. The existing Turkish laws, especially the Press Law, are naively applied to alleged lawbreakers on the Internet, resulting in ludicrous outcomes.'
[source: EDRI-gram, Number 4, 12 March 2003]
(2003-03-14) [EDRI] The European data protection commissioners, united in the Article 29 Working Party, invite the public to respond to a position paper about videosurveillance. The paper gives an interesting overview of the differences in legislation and measures adopted in the different member states since the transposition of the Privacy Directive (95/46/EC).
The Commissioners are specifically worried about 7 cases, resulting from experience or tests currently in progress:
[source: EDRI-gram, Number 4, 12 March 2003]
(2003-03-14) [EDRI] In the previous EDRI-gram 6 EU-countries were mentioned that already have a spam-ban, Denmark, Germany, Finland, Greece, Italy and Austria, plus Hungary and Norway in Europe-at-large. We can now add France, Romania and Poland to this list.
[source: EDRI-gram, Number 4, 12 March 2003]
(2003-03-14) [EDRI] The European data commissioners (through the Article 29 working group) have pleaded for a maximum storage period of half a year for traffic data that telecommunication companies store for billing purposes. With the opinion paper the working group tries to limit the duration and scope of traffic data storage.
"Traffic data should be kept for as long as necessary to enable bills to be settled, and disputes resolved. Ordinarily this involves a maximum storage period of 3-6 months and no longer in cases where bills have been paid and do not appear to have been disputed or queried (having regard to the privacy right of individual subscribers)".
The working group also pleas for the stored traffic data to be limited to the necessary data.
[source: EDRI-gram, Number 4, 12 March 2003]
(2003-03-14) [EDRI] Anticipating the new EU Directive on Patents, the National Board of Patents and Registration of Finland (PRH) decided to accept patents on software. Before, the Fins were a lot stricter than the European Patent Office. The reason for the change in policy is mind-boggling. Because the European Parliament seems to propose much more unpermissive rules than the Council or Commission, the new Software Patent Directive will be delayed and therefore Finland felt it had to suddenly soften its line.
[source: EDRI-gram, Number 4, 12 March 2003]
(2003-03-14) [EDRI] On 9 March the Italian Associazione Software Libero opened an on-line petition against the proposed implementation of the European Copyright Directive. The petition is an open letter to the Culture Committee of the Lower House, inviting them to reconsider their almost unanimous approval of the copyright law on 25 February 2003. Like in most other EU-countries, resistance against the implementation is focused on the very broad legal protection of anti-circumvention measures. Quoting from the open letter: 'It will be illegal to possess equipment and usable algorithms for the circumvention of technological measures. Under the new norm, it is totally irrelevant if the equipment is intended for lawful or illegal use; it will be prohibited per se, treated similar to narcotics.'
[source: EDRI-gram, Number 4, 12 March 2003]
(2003-03-14) [EDRI] The Justice ministers of the EU countries (by means of the Council of the European Union) have agreed on a decision to harmonize the criminal code in EU countries regarding attacks on information systems.
The ministers agree that "there is evidence of attacks against information systems, in particular as a result of the threat from organised crime, and increasing concern at the potential of terrorist attacks against information systems which form part of the critical infrastructure of the Member States."
[source: EDRI-gram, Number 4, 12 March 2003]
(2003-03-13) [EDRI] Telecom providers in Switzerland must register user data for prepaid cards and keep the data available for a period of 2 years. Parliament decided today to add this obligation to a series of new anti-terrorism measures. None of the EU member states have a similar obligation. Telecom providers have always argued against mandatory identification, pointing at the high costs for the extensive network of resellers and the probability of people helping out criminals by buying prepaid cards for them.
Switzerland used to be one of the few countries worldwide to sell prepaid cards for international roaming. The new measure doesn't just require identification for those specific roaming-cards, but for all users of all prepaid cards. Last year [in Switzerland], law enforcement authorities made 80.000 requests for the identity of telephone users, resulting in 6.000 court-approved wiretaps. Of the 80.000 identity-requests, 30.000 were prepaid mobile phones.
Debate in Swiss parliament about anti-terrorism measures (12.03.2003) http://www.parlament.ch/ab/frameset/d/n/4617/77205/d_n_4617_77205_77220.htm
[source: EDRI-gram, Number 4, 12 March 2003]
(2003-03-14) [EDRI] The Commission's secret talks with U.S. authorities on the transmission of air passenger data have caused a heavy clash between EU institutions.
Since 5 March U.S. authorities have access to most European airlines' passenger data bases. On 10 March, the European Parliament's influential Citizen's Rights and Freedoms, Justice and Home Affairs Committee (LIBE) adopted a resolution containing harsh criticism of the Commission's proceedings. It "questions the legal base and the repercussions", of the Joint Declaration with U.S. officials and "expresses concern that it could be interpreted as an indirect invitation to the national authorities to disregard Community law".
[source: EDRI-gram, Number 4, 12 March 2003]
